Bing mobile app database left open to hackers, millions of user data sets compromised
Bing mobile app users on every platform including iOS and iPadOS are at risk after terabytes of user information have been stolen from an open server.
Bing mobile app leaked millions of user's data
Bing is the search engine owned by Microsoft and data related to the mobile app for iOS and Android has been found in an open server. The server had over 6.5TB of data and was growing by 200GB per day upon discovery.
The white hat hacker group WizCase discovered the open server on September 12, which had been secure until September 10 according to the group. Microsoft was alerted on September 13 after the server owner was discovered. The open server was secured by the Microsoft Security Response Center on September 16.
WizCase was able to identify an exfiltration of the data, and a subsequent "Meow" attack on the data during the open window. A Meow attack is an automated attack to an open server which aims to delete a large portion or all of the data in the server. This Meow attack deleted nearly the entire database.
Nearly 100 million records had been collected by bad-actors by the time a second Meow attack hit the server on September 14. Many types of hackers had access to the data while the server was open, so much or all of the data could have been collected.
Anyone could have downloaded the contents of the server during the six-day window. Internet-based assailants could target anyone who used the mobile app whose data is present in this server. To protect yourself ensure you do not open strange emails and use alternative search engines like DuckDuckGo, which does not collect user data.
Bing mobile app leaked millions of user's data
Bing is the search engine owned by Microsoft and data related to the mobile app for iOS and Android has been found in an open server. The server had over 6.5TB of data and was growing by 200GB per day upon discovery.
The white hat hacker group WizCase discovered the open server on September 12, which had been secure until September 10 according to the group. Microsoft was alerted on September 13 after the server owner was discovered. The open server was secured by the Microsoft Security Response Center on September 16.
WizCase was able to identify an exfiltration of the data, and a subsequent "Meow" attack on the data during the open window. A Meow attack is an automated attack to an open server which aims to delete a large portion or all of the data in the server. This Meow attack deleted nearly the entire database.
Nearly 100 million records had been collected by bad-actors by the time a second Meow attack hit the server on September 14. Many types of hackers had access to the data while the server was open, so much or all of the data could have been collected.
What does this mean for users?
An open server filled with terabytes of user data is a treasure trove for bad-acting hackers. The data included in the server included the following:- plain-text search terms
- Location coordinates of users with location enabled
- Exact time of search
- Firebase notification tokens
- Coupon data for result terms
- A partial list of URLs visited within search results
- Device model
- deviceID, devicehash, and ADID for the user's device
Anyone could have downloaded the contents of the server during the six-day window. Internet-based assailants could target anyone who used the mobile app whose data is present in this server. To protect yourself ensure you do not open strange emails and use alternative search engines like DuckDuckGo, which does not collect user data.
Comments
Because it's safer than Google sadly.
Obviously!
The reason why people use Bing ... tons of Microsoft loyalists DO exist you know. Those people are why Surface devices not only exist but generally meet their sales goals. So if you are totally invested in the Microsoft ecosystem then Edge is going to be your browser and you are not going to change the default search engine from Bing to Google (the Microsoft loyalists hate Google as much as the Apple ones do).
So as far as search engines go, "safer than Google" is basically GoDuckGo. Everyone else collects data and sells it for targeted ads just like Google does. Because ... how else are these companies going to make money? Exactly.