Threat actor claims to have stolen 49 million Dell customer addresses before company found out

Menelik, who claims to have 49 million Dell customer records, told TechCrunch that he hacked into the company’s online portal and stole customer data, including physical addresses, directly from Dell servers.

TechCrunch has verified that a number of the downloaded data matches personal data of Dell customers.

On Thursday, the pc maker sent an email to customers saying it had suffered a knowledge breach involving customer names, physical addresses and Dell order information.

“We believe there is no significant risk to our customers given the type of information involved,” Dell wrote in an email, trying to downplay the impact of the breach by suggesting it doesn’t consider customer addresses to be “highly sensitive” information. .

The attacker stated that he had registered under several different names on a selected Dell portal as a “partner”. Affiliate, he said, means a company that resells Dell services or products. After Dell approved partner accounts, Menelik said it brute-forced customer service tags, which consist of seven digits made up entirely of numerals and consonants. He also said that “any partner” can access the portal they have accessed.

“(I) was sending over 5,000 requests per minute to this site containing sensitive information. Believe it or not, I did this for almost 3 weeks and Dell didn’t notice anything. Nearly 50 million requests… Once I felt I had enough data, I sent multiple emails to Dell and notified them of the vulnerability. It took them almost a week to patch it all up,” Menelik told TechCrunch.

Menelik, who shared screenshots of several emails he sent in mid-April, also said that sooner or later he stopped scraping and didn’t obtain the complete customer database. A Dell spokesperson confirmed to TechCrunch that the company received emails from the threat actor.

The attacker posted a stolen database containing Dell customer data on a well known hacker forum. Forum list was first reported by Daily Dark Web.

TechCrunch confirmed that the threat actor had credible Dell customer data, sharing several names and repair tags of consumers – with their consent – who received a breach notification email from Dell. In one case, the threat actor found a customer’s personal information by searching the stolen data for the customer’s name. In one other case, he was able to find details about one other victim by looking up the serial variety of a selected piece of kit from an order she placed.

In other cases, Menelik was unable to find this information and said he didn’t understand how Dell identified affected customers. “Based on checking the names you provided, it appears they sent this mail to unaffected customers,” the threat group said.

Dell didn’t say who owns the physical addresses. TechCrunch’s evaluation of a sample of downloaded data shows that the addresses appear to refer to the unique purchaser of the Dell hardware, reminiscent of a company purchasing the item for a distant employee. For consumers purchasing directly from Dell, TechCrunch discovered that lots of these physical addresses are also related to the buyer’s home address or other location where the product was shipped.

When we received comment, Dell didn’t dispute our findings.

When TechCrunch sent Dell a series of specific questions based on what the threat actor said, an anonymous company spokesperson said that “prior to receiving the threat email, Dell was already aware of the incident and was investigating it, implementing our response procedures and taking protective actions.” “. steps.” Dell has not provided evidence to support this claim.

“Let us do not forget that this threat actor is a criminal and we have notified law enforcement authorities. We will not be disclosing any information that might jeopardize the integrity of our ongoing investigation or any law enforcement investigation,” the spokesman wrote.