Menelik, a man who claims to have 49 million Dell customer records, told TechCrunch that he brute-forced online company portals and collected customer data, including physical addresses, directly from Dell's servers. he said.
TechCrunch confirmed that some of the scraped data matched personal information of Dell customers.
On Thursday, the computer maker sent an email to customers informing them that a data breach had occurred that included customer names, addresses and Dell order information.
“Given the type of information involved, we do not believe there is a material risk to our customers,” Dell wrote in an email, attempting to downplay the impact of the breach, adding that customers' addresses were “highly sensitive and ” He suggested that he did not consider it information. .
The attacker stated that he had registered as a “partner” on a particular Dell portal under several different names. He said partners are companies that resell Dell products and services. After Dell approved the partner account, Menelik said it brute-forced the customer service tag, which consists of just a seven-digit number and a consonant. He also said that “partners of all kinds” can access the portal they are granted access to.
“[I] sent more than 5,000 requests per minute to this page containing sensitive information. Believe it or not, she did this for nearly three weeks and Del noticed nothing. Nearly 50 million requests…Once we thought we had enough data, we sent multiple emails to Dell informing them of the vulnerability. It took nearly a week to repair everything,” Menelik told TechCrunch.
Menelik, who shared screenshots of multiple emails he sent in mid-April, also said that at some point he stopped scraping and was no longer able to obtain a complete database of customer data. A Dell spokesperson confirmed to TechCrunch that the company received the threat actor's email.
The attackers listed the stolen database of Dell customer data on a well-known hacking forum. The forum listing was first reported by Daily Dark Web.
TechCrunch confirmed that the attacker had legitimate Dell customer data by sharing service tags (with permission) with several customers who received breach notification emails from Dell. In one case, an attacker discovered a customer's personal information by searching for the customer's name in stolen records. In another case, we were able to find the corresponding record of another victim by searching for her tag for a specific hardware service that the victim had ordered.
In other cases, Menelik said he could not find any information and did not know how Dell identified affected customers. “Based on the name you provided, it appears you sent this email to unaffected customers,” the attacker said.
Dell did not say who the physical addresses belong to. Analysis of a sample of data scraped by TechCrunch shows that these addresses appear to be related to the original purchasers of the Dell equipment, such as companies that purchased goods for remote employees. It was done. TechCrunch found that when a consumer buys directly from his Dell, many of those physical addresses are correlated with the consumer's home address and other locations where the item was shipped.
Dell did not dispute the findings when asked for comment.
When TechCrunch sent Dell a series of specific questions based on the threat actor's statements, an anonymous company spokesperson said, “Prior to receiving the threat actor's email, Dell was already aware of and investigating the incident. “We have implemented response procedures to contain the incident.” step. ” Dell has provided no evidence for this claim.
“Please remember, this threat actor is a criminal and we have notified law enforcement. “We do not disclose any sexually sensitive information,” the spokesperson said.