The person who claimed to have stolen the physical addresses of 49 million Dell customers appears to have gotten more data from a different Dell portal, according to TechCrunch.
The recently breached data includes names, phone numbers and email addresses of Dell customers. This personal data is contained in “customer service reports”, which also include information about the hardware and replacement parts, feedback from field engineers, shipment numbers and, in some cases, diagnostic logs uploaded from the customer’s computer.
Several reports seen by TechCrunch contain photos apparently taken by customers and uploaded to Dell seeking technical support. Some of those images contain metadata that reveals the exact GPS coordinates of the location where the customer took the photos, according to a sample of the data obtained by TechCrunch.
TechCrunch has confirmed that customers’ personal information appears genuine.
This is Dell’s second disclosure of exposed customer data in as many weeks. Last week, Dell notified customers that it had experienced a data breach, saying in an email that the tech giant was investigating “an incident involving a Dell portal that contains a database of limited types of customer information related to purchases from Dell”.
The stolen data included customer names and physical addresses, as well as less sensitive data such as “Dell hardware and order information, including service tag, product description, order date and related warranty information.”
Dell downplayed the breach at the time, saying the leak of customer addresses did not pose a “significant risk to our customers” and that the stolen information did not include “highly sensitive customer information,” such as email addresses and phone numbers.
An individual using the online handle Menelik claimed responsibility for both data breaches. In an interview with TechCrunch, Menelik provided a sample of the data he stole, which allowed TechCrunch to verify that the data was legitimate. Menelik also provided copies of emails he sent to Dell, and the company confirmed to TechCrunch that it received an email about the data breach from Menelik.
Now, it appears that Menelik found another flaw in another Dell portal that allowed him to wipe more customer data.
“I found something about email and phone number data,” Menelik told TechCrunch. “But I’m not going to do anything with it yet. I want to see how Dell responds to the current issue. [sic]”
Dell did not respond to TechCrunch’s request for comment.
Menelik said he had hacked the data of about 30,000 US customers and said the flaws he is exploiting are similar to the bugs that allowed him to obtain the first round of 49 million customer records. But this second vulnerability prevents him from collecting the data as quickly as during the first breach.
As TechCrunch first reported, in the first breach Menelik said he was able to wipe Dell customer data from a portal where he registered multiple accounts as an “affiliate,” meaning he pretended to run companies that resell Dell products or services . Once Dell approved his requests, Menelik said he was able to force customer service labels, which consist of seven digits of just numbers and consonants.
Menelik posted an ad on a well-known hacking forum trying to sell the data. As of this writing, the list has been deleted, and Menelik said it was because he sold the data, though he declined to say how much.
Asked what he plans to do with the new data, Menelik said he hasn’t decided yet.
Since some of the scrapped data contains personal information of customers in the European Union, TechCrunch contacted Ireland’s national data protection authority, which did not immediately respond to a request for comment.
Contact us
Do you know more about this dell hack? Or similar data breaches? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
