A back-end server associated with Microsoft Bing exposed sensitive data of the search engine’s mobile application users, including search queries, device details, and GPS coordinates, among others.
The logging database, however, doesn’t include any personal details such as names or addresses.
The data leak, discovered by Ata Hakcil of WizCase on September 12, is a massive 6.5TB cache of log files that was left for anyone to access without any password, potentially allowing cybercriminals to leverage the information for carrying out extortion and phishing scams.
According to WizCase, the Elastic server is believed to have been password protected until September 10, after which the authentication seems to have been inadvertently removed.
After the findings were privately disclosed to Microsoft Security Response Center, the Windows maker addressed the misconfiguration on September 16.
Misconfigured servers have been a constant source of data leaks in recent years, resulting in exposure of email addresses, passwords, phone numbers, and private messages.
“Based on the sheer amount of data, it is safe to speculate that anyone who has made a Bing search with the mobile app while the server has been exposed is at risk,” said WizCase’s Chase Williams in a Monday post. “We saw records of people searching from more than 70 countries.”
Some of the search terms comprised of predators looking for child porn and the websites they visited following the search as well as “queries related to guns and interest in shootings, with search histories that included shopping for guns, and search terms like ‘kill commies.’”
Aside from device and location details, the data also consisted of the exact time the search was performed using the mobile app, a partial list of the URLs the users visited from the search results, and three unique identifiers, such as ADID (a numeric ID assigned by Microsoft Advertising to an ad), “deviceID”, and “devicehash.”
In addition, the server also came under what’s called a “meow attack” at least twice, an automated cyberattack that has wiped data from over 14,000 unsecured database instances since July with no explanation.
Although the leaky server didn’t reveal names and other personal information, WizCase cautioned that the data could be exploited for other nefarious purposes, in addition to exposing users to physical attacks by letting criminals triangulate their whereabouts.
“Whether it’s searching for adult content, cheating on a significant other, extreme political views, or hundreds of embarrassing things people search for on Bing,” the company said. “Once the hacker has the search query, it could be possible to find out the person’s identity thanks to all the details available on the server, making them an easy blackmail target.”