Threat actor says he scraped 49M Dell customer addresses before the company found out
Comment
The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s servers.
TechCrunch verified that some of the scraped data matches the personal information of Dell customers.
On Thursday, Dell sent an email to customers saying the computer maker had experienced a data breach that included customer names, physical addresses and Dell order information.
“We believe there is not a significant risk to our customers given the type of information involved,” Dell wrote in the email, in an attempt to downplay the impact of the breach, implying it does not consider customer addresses to be “highly sensitive” information.
The threat actor said he registered with several different names on a particular Dell portal as a “partner.” A partner, he said, refers to a company that resells Dell products or services. After Dell approved his partner accounts, Menelik said he brute-forced customer service tags, which are made of seven digits of only numbers and consonants. He also said that “any kind of partner” could access the portal he was granted access to.
“[I] sent more than 5,000 requests per minute to this page that contains sensitive information. Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik told TechCrunch.
Menelik, who shared screenshots of the several emails he sent in mid-April, also said that at some point he stopped scraping and did not obtain the complete database of customer data. A Dell spokesperson confirmed to TechCrunch that the company received the threat actor’s emails.
The threat actor listed the stolen database of Dell customers’ data on a well known hacking forum. The forum listing was first reported by Daily Dark Web.
TechCrunch confirmed that the threat actor has legitimate Dell customer data by sharing a handful of names and service tags of customers — with their permission — who received the breach notification email from Dell. In one case, the threat actor found the personal information of a customer by searching the stolen records for his name. In another case, he was able to find the corresponding record of another victim by searching for the specific hardware service tag from an order she made.
In other cases, Menelik could not find the information, and said that he doesn’t know how Dell identified the impacted customers. “Judging by checking the names you gave, it looks like they sent this mail to customers who are not affected,” the threat actor said.
Dell has not said who the physical addresses belong to. TechCrunch’s analysis of a sample of scraped data shows that the addresses appear to relate to the original purchaser of the Dell equipment, such as a business purchasing an item for a remote employee. In the case of consumers buying directly from Dell, TechCrunch found many of those physical addresses also correlate to the consumer’s home address or other location where they had the item delivered.
Dell did not dispute our findings when reached for comment.
When TechCrunch sent a series of specific questions to Dell based on what the threat actor said, an unnamed company spokesperson said that “prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps.” Dell did not provide evidence for this claim.
“Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement. We are not disclosing any information that could compromise the integrity of our ongoing investigation or any investigations by law enforcement,” wrote the spokesperson.
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
The latest Fintech news and analysis, delivered every Sunday.
TechCrunch Mobility is your destination for transportation news and insight.
By submitting your email, you agree to our Terms and Privacy Notice.
Welcome to Week in Review: TechCrunch’s newsletter recapping the week’s biggest news. This week Apple unveiled new iPad models at its Let Loose event, including a new 13-inch display for…
The U.K. Safety Institute, the U.K.’s recently established AI safety body, has released a toolset designed to “strengthen AI safety” by making it easier for industry, research organizations and academia…
AI startup Runway’s second annual AI Film Festival showcased movies that incorporated AI tech in some fashion, from backgrounds to animations.
Rachel Coldicutt is the founder of Careful Industries, which researches the social impact technology has on society.
SAP Chief Sustainability Officer Sophia Mendelsohn wants to incentivize companies to be green because it’s profitable, not just because it’s right.
Here’s what one insider said happened in the days leading up to the layoffs.
StrictlyVC events deliver exclusive insider content from the Silicon Valley & Global VC scene while creating meaningful connections over cocktails and canapés with leading investors, entrepreneurs and executives. And TechCrunch…
Meesho, a leading e-commerce startup in India, has secured $275 million in a new funding round.
Some Indian government websites have allowed scammers to plant advertisements capable of redirecting visitors to online betting platforms. TechCrunch discovered around four dozen “gov.in” website links associated with Indian states,…
Around 550 employees across autonomous vehicle company Motional have been laid off, according to information taken from WARN notice filings and sources at the company. Earlier this week, TechCrunch reported…
The deck included some redacted numbers, but there was still enough data to get a good picture.
The company is describing the event as “a chance to demo some ChatGPT and GPT-4 updates.”
Unlike ChatGPT, Claude did not become a new App Store hit.
Welcome to Startups Weekly — Haje‘s weekly recap of everything you can’t miss from the world of startups. Sign up here to get it in your inbox every Friday. Look,…
Scarcely five months after its founding, hard tech startup Layup Parts has landed a $9 million round of financing led by Founders Fund to transform composites manufacturing. Lux Capital and Haystack…
AI startup Anthropic is changing its policies to allow minors to use its generative AI systems — in certain circumstances, at least. Announced in a post on the company’s official…
Zeekr’s market hype is noteworthy and may indicate that investors see value in the high-quality, low-price offerings of Chinese automakers.
Venture capital has been hit hard by souring macroeconomic conditions over the past few years and it’s not yet clear how the market downturn affected VC fund performance. But recent…
The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s…
The social network has announced an updated version of its app that lets you offer feedback about its algorithmic feed so you can better customize it.
Microsoft will launch its own mobile game store in July, the company announced at the Bloomberg Technology Summit on Thursday. Xbox president Sarah Bond shared that the company plans to…
Smart ring maker Oura is launching two new features focused on heart health, the company announced on Friday. The first claims to help users get an idea of their cardiovascular…
Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…
Garena is quietly developing new India-themed games even though Free Fire, its biggest title, has still not made a comeback to the country.
The U.S.’ NHTSA has opened a fourth investigation into the Fisker Ocean SUV, spurred by multiple claims of “inadvertent Automatic Emergency Braking.”
CoreWeave has formally opened an office in London that will serve as its European headquarters and home to two new data centers.
The Series C funding, which brings its total raise to around $95 million, will go toward mass production of the startup’s inaugural products
A dust-up between Evolve Bank & Trust, Mercury and Synapse has led TabaPay to abandon its acquisition plans of troubled banking-as-a-service startup Synapse.
The problem is not the media, but the message.
The Twitter for Android client was “a demo app that Google had created and gave to us,” says Particle co-founder and ex-Twitter employee Sara Beykpour.
Facebook
Youtube
LinkedIn
X
Instagram
Mastodon
Powered by WordPress VIP
Leave a Comment