Microsoft Secures Backend Server That Leaked Bing Data

Microsoft suffered a rare cyber-security lapse earlier this month when the company's IT staff accidentally left one of Bing's backend servers exposed online. From a report: The server was discovered by Ata Hakcil, a security researcher at WizCase, who exclusively shared his findings with ZDNet last week. According to Hakcil's investigation, the server is believed to have exposed more than 6.5 TB of log files containing 13 billion records originating from the Bing search engine. The Wizcase researcher was able to verify his findings by locating search queries he performed in the Bing Android app in the server's logs. Hakcil said the server was exposed online from September 10 to September 16, when he notified the Microsoft Security Response Center (MSRC), and the server was secured again with a password. Reached out for comment last week, Microsoft admitted to the mistake.

So! they hired

[oldgraybeard]

an outside contractor.

I thought nobody used Bing?

[Anonymouse Cowtard]

6.5TB of log files! Which of you people are using Bing and why?

Re:

[Fly Swatter]

The porn results are better than google's now.

Re:

[Pascoea]

Do people really struggle that bad finding porn to watch? I wasn't aware it was an issue. (And that's certainly not because I don't search for it.)

Re:

[Tablizer]

It's about variety, not "better", like wandering into a different bad part of town at 2am.

Re:

[Tablizer]

because it shows different porn

Re:

[theendlessnow]

Until very recently, we were able to use it as a data sharing conduit.

Misread

[SuperKendall]

At first I was like, what were they doing with Jamaican seasoning on a server anywa... oh, *backend*!

Now I wonder if all this catfish on the internet I read about it not what I thought either. Huh.

How can that possibly happen?

[dgatwood]

I know people make mistakes, but one would expect that a server like that should be designed to respond only to signed responses from their own front end machines. The very fact that it even matters whether such a machine was exposed or not raises serious concerns about their security/privacy practices in my mind.

Securing accounts on the machine should be part of deployment, and the systems shouldn't even make it possible to deploy to a system with anything other than the pre-baked account configuration.

A

Re:

[gweihir]

What happens is pretty simple: Arrogance and incompetence. I mean, we are talking about MS here. They are practically the very embodiment of these two qualities. Anybody competent would have done an independent penetration test for the deployment. It would have found this immediately. Anybody competent would have had pre-secured images, were it took work screwing up like this. Anybody competent would have had a checklist to make sure this does not happen. Anybody competent would actually have a network peri

they were the great BingHolio

[inode_buddha]

You call it Bing. We call it Bung. For thousands of seconds, security researchers have known about the Great Reach Around from Bung.

6.5TB?

[Pascoea]

select * from log where search not like '%porn%'

0 records found

What they don't tell you...

[Jerry Rivers]

...is that the log files are, like many Bing search results, from 10 years ago.

'Secured' it, did they?

[Rick Schumann]

So they rebooted it five times and called it good?

Re:

[Joe_Dragon]

5 times needed to install windows updates.

Microsoft suffered a

[troff]

*rare*?