Microsoft server leaked 6.5TB of Bing search data

Posted on Thursday, September 24 2020 @ 11:41 CEST by Thomas De Maesschalck
MSFT logo
The Register reports Microsoft accidentally exposed a 6.5TB Elastic server to the web. Curiously, the server was password protected until September 10, when authentication was removed for unknown reasons. WizCase code-prober Ata Hakcil discovered the leak on September 12 and reported the issue to Microsoft on September 13. The software giant then removed the database on September 16.

So what sort of data was leaked? The Microsoft Bing data leak appears to be generated by the Bing mobile app. It included search terms, location coordinates, device ID data, and a partial list of visited URLs. On the surface, it's all anonymous data, but earlier, similar leaks and data dumps have revealed that there may be some privacy implications here:
It seems Microsoft's leaked data may likewise have privacy implications. WizCase screenshots show that the records include fields called deviceID, deviceHash, AdID and clientID, all of which are promising in terms of finding all the searches from a particular user. There are also coordinates showing location "within 500 metres," not precise enough to get an address, but helpful to someone trying to identify searchers.

The data also reveals some of the unsavoury things people search for, including illegal content. WizCase suggested that if criminals succeed in deanonymising the data, some individuals could be vulnerable to blackmail or phishing scams as a result.
Microsoft blames the data leak on a "misconfiguration".


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments