The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced a company portal and extracted customer data, including physical addresses, directly from Dell’s servers.
TechCrunch verified that some of the scraped data matched the personal information of Dell customers.
On Thursday, Dell sent an email to customers saying the computer maker had suffered a data breach that included customer names, physical addresses and Dell order information.
“We believe there is no significant risk to our customers given the type of information involved,” Dell wrote in the email, in an attempt to downplay the impact of the breach, implying that it does not consider customer addresses to be “particularly sensitive ». information.
The threat actor said he registered under several different names on a certain Dell portal as an “associate”. A partner, he said, refers to a company that resells Dell products or services. After Dell approved his partners’ accounts, Menelik said he forced the customer service tags, which consist of seven digits of just numbers and consonants. He also said that “any kind of partner” could access the portal he accessed.
“[I] sent more than 5,000 requests per minute to this page containing sensitive information. Believe me or not, I kept doing this for almost 3 weeks and Dell noticed anything. Almost 50 million requests… After I thought I had enough data, I sent several emails to Dell and notified them of the vulnerability. It took them almost a week to fix everything,” Menelik told TechCrunch.
Menelik, who shared screenshots of several emails he sent in mid-April, also said he stopped scraping at some point and didn’t get the full database of customer data. A Dell spokesperson confirmed to TechCrunch that the company received the threat actor’s emails.
The threat actor listed the stolen database of Dell customer data on a well-known hacking forum. The forum list first reported by the Daily Dark Web.
TechCrunch confirmed that the threat actor has legitimate Dell customer data by sharing the names and customer service labels of a handful — with their permission — who received the breach notification email from Dell. In one case, the threat actor found a customer’s personal information by searching the stolen files for their name. In another case, he was able to find another victim’s matching file by searching for the specific hardware service tag from an order he placed.
In other cases, Menelik couldn’t find the information and said he doesn’t know how Dell identified the affected customers. “Judging by checking the names you provided, it looks like they sent this message to unaffected customers,” the threat actor said.
Dell has not said who owns the physical addresses. TechCrunch’s analysis of a sample of data scraping shows that the addresses appear to be related to the original purchaser of the Dell equipment, such as a business purchasing an item for a remote employee. In the case of consumers buying directly from Dell, TechCrunch found that many of those physical addresses also correlate with the consumer’s home address or other location where they picked up the item.
Dell did not dispute our findings when reached for comment.
When TechCrunch sent a series of specific questions to Dell based on what the threat actor said, an unnamed company spokesperson said that “prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, applying the procedures our response and taking containment steps.” Dell did not provide evidence for this claim.
“Keep in mind, this threat actor is a criminal and we have notified law enforcement. We are not releasing any information that could compromise the integrity of our ongoing investigation or any inquiries by law enforcement,” the spokesperson wrote.