What Happens When Bing’s Mobile Apps Leak Over 6.5 TB of User Data?

Incident Timeline

September 10 2023 – The Elasticsearch server that indexed Bing mobile app data was unintentionally left open without authentication.

September 12 – White‑hat group WizCase discovered the open endpoint containing more than 6.5 TB of user records.

September 13 – Microsoft received a warning about the exposure.

September 16 – Microsoft Security Response Center began protecting the server.

September 12‑14 – Automated “Meow” attacks attempted to delete the index; the first attack nearly erased the entire database, and by the second attack on September 14 the attackers had already harvested close to 100 million records.

Exposed Data Types

Plain‑text search queries submitted from Bing iOS, iPadOS, and Android apps.

Device location coordinates (when location services were enabled).

Accurate timestamps of each search request.

Heavy‑fire notification tokens (used for push notifications).

Coupon or promotional data embedded in search result terms.

Partial URLs of pages accessed via search results.

Device model identifiers.

Device‑specific identifiers such as deviceID, devicehash, and ADID.

Technical Context of the Server

The exposed service was an Elasticsearch cluster, a distributed, high‑performance search engine commonly used by enterprises to index billions of documents. Elasticsearch clusters are typically protected by HTTP basic authentication, IP‑based firewall rules, or VPN access. In this case the cluster was reachable over the public internet without any of these controls, allowing unrestricted read access.

Potential Abuse Scenarios

Querying the index by text or location enables adversaries to locate specific users and build detailed profiles.

Collected identifiers (deviceID, ADID) can be used for targeted advertising fraud or credential stuffing.

Location data combined with timestamps may facilitate physical stalking or extortion.

Notification tokens could be abused to send malicious push notifications.

Common Causes of Elasticsearch Data Leaks

Historical incidents show that Elasticsearch exposures often stem from:

Administrator oversight, such as forgetting to set a password or leaving the default configuration.

Misconfigured firewalls or VPN outages that unintentionally expose internal IP ranges.

Copying production indices to development or test environments without replicating security controls.

Mitigation Guidance

While the breach originated from a Microsoft‑owned service, the technical takeaways for operators are:

Always enable authentication (e.g., X‑Pack security, TLS, or HTTP basic auth) on Elasticsearch nodes.

Restrict network access to trusted IP ranges or VPNs.

Monitor for unusual data‑exfiltration patterns, such as rapid growth of index size or repeated bulk‑download requests.

Implement automated backups and immutable snapshots to recover from destructive attacks like the “Meow” deletion attempts.