The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s servers.
TechCrunch verified that some of the scraped data matches the personal information of Dell customers.
On Thursday, Dell sent an email to customers saying the computer maker had experienced a data breach that included customer names, physical addresses and Dell order information.
“We believe there is not a significant risk to our customers given the type of information involved,” Dell wrote in the email, in an attempt to downplay the impact of the breach, implying it does not consider customer addresses to be “highly sensitive” information.
The threat actor said he registered with several different names on a particular Dell portal as a “partner.” A partner, he said, refers to a company that resells Dell products or services. After Dell approved his partner accounts, Menelik said he brute-forced customer service tags, which are made of seven digits of only numbers and consonants. He also said that “any kind of partner” could access the portal he was granted access to.
“[I] sent more than 5,000 requests per minute to this page that contains sensitive information. Believe me or not, I kept doing this for nearly 3 weeks and Dell did notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik told TechCrunch.
Menelik, who shared screenshots of the several emails he sent in mid-April, also said that at some point he stopped scraping and did not obtain the complete database of customer data. A Dell spokesperson confirmed to TechCrunch that the company received the threat actor’s emails.
The threat actor listed the stolen database of Dell customers’ data on a well known hacking forum. The forum listing was first reported by Daily Dark Web.
TechCrunch confirmed that the threat actor has legitimate Dell customer data by sharing a handful of names and service tags of customers — with their permission — who received the breach notification email from Dell. In one case, the threat actor found the personal information of one customer by searching the stolen records for his name. In another case, he was able to find the corresponding record of another victim by searching for the specific hardware service tag from an order she made.
In other cases, Menelik could not find the information, and said that he doesn’t know how Dell identified the impacted customers. “Judging by checking the names you gave, it looks like they sent this mail to customers who are not affected,” the threat actor said.
Dell has not said who the physical addresses belong to. TechCrunch’s analysis of a sample of scraped data shows that the addresses appear to relate to the original purchaser of the Dell equipment, such as a business purchasing an item for a remote employee. In the case of consumers buying directly from Dell, TechCrunch found many of those physical addresses also correlate to the consumer’s home address or other location where they had the item delivered.
Dell did not dispute our findings when reached for comment.
When TechCrunch sent a series of specific questions to Dell based on what the threat actor said, an unnamed company spokesperson said that “prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps.” Dell did not provide evidence for this claim.
“Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement. We are not disclosing any information that could compromise the integrity of our ongoing investigation or any investigations by law enforcement,” wrote the spokesperson.