Microsoft has suffered a rare cyber-security lapse earlier this month when the company’s IT staff accidentally left one of Bing’s backend servers exposed online.
The server was discovered by Ata Hakcil, a security researcher at WizCase, who exclusively shared his findings with ZDNet last week.
According to Hakcil’s investigation, the server is believed to have exposed more than 6.5 TB of log files containing 13 billion records originating from the Bing search engine.
The Wizcase researcher was able to verify his findings by locating search queries he performed in the Bing Android app in the server’s logs.
Hakcil said the server was exposed online from September 10 to September 16, when he notified the Microsoft Security Response Center (MSRC), and the server was secured again with a password.
Reached out for comment last week, Microsoft admitted to the mistake.
“We’ve fixed a misconfiguration that caused a small amount of search query data to be exposed,” a Microsoft spokesperson told ZDNet in an email last week.
“After analysis, we’ve determined that the exposed data was limited and de-identified.”
ZDNet, which was granted access to the server while it was exposed online without a password, can confirm that no personal user information was exposed.
Instead, the server exposed technical details, such as search queries, details about the user’s system (device, OS, browser, etc.), geo-location details (where available), and various tokens, hashes, and coupon codes.
The leaky server was identified as an Elasticsearch system. Elasticsearch servers are high-grade systems where companies aggregate large quantities of data to easily search and filter through billions of records.
Over the course of the past four years, Elasticsearch servers have often been the source of many accidental data leaks.
The reasons vary and can range from administrators forgetting to set a password; firewalls or VPN systems suddenly going down and exposing a company’s normally-internal servers; or companies copying production data to test systems that aren’t always secured as thoroughly as their primary infrastructure.