Bing is a Microsoft-owned search engine and the stolen data belongs to the mobile app (iOS and Android) that was on an open server. The server had around 6,5TB of data and was growing by 200GB per day when it was discovered.
Users of the Bing mobile app on any platform, including iOS and iPadOS, are at risk after terabytes of users' personal information is stolen from an insecure server.
The hacker group (dedicated to good practices) WizCase discovered the server opened on September 12, which had been protected until September 10. Microsoft was notified on September 13 after finding out who owned the server. The unsecured server was protected by the Microsoft Security Response Center on September 16.
WizCase was able to identify data mining and a subsequent "Meow" attack during the time it was opened. A Meow attack is an automatic attack on an exposed server that aims to wipe a large amount of data from the server. This Meow attack almost completely wiped the database.
About 100 million records had been collected by the "hackers" when a second Meow attack was launched against the server on September 14th. Many types of hackers accessed the data while the server was open, so there was enough time to get almost all of the data on the server.
What does it mean for users?
An open server filled with terabytes of user data is a real treat for malicious hackers. The data included on the server included the following:
- plain text search terms
- Location coordinates of users who have activated geolocation
- Exact search time
- Firebase claim token
- Term data in search results
- Partial list of URLs visited within the search results
- Model of the device used
- deviceID, devicehash and ADID of the user's device
This database can be used to search for specific users based on requests or locations, which can lead to fraud, blackmail, phishing or physical threats. The WizCase team was able to identify specific users who had searched for child pornography material, weapons, or where to attack specific groups of people.