The individual who claims to have obtained 49 million Dell customer records informed TechCrunch that he gained unauthorized access to an online company portal and collected customer data, including physical addresses, directly from Dell's servers.
TechCrunch verified that some of the collected data matches the personal information of Dell customers.
On Thursday, Dell notified customers via email about a data breach that compromised customer names, physical addresses, and order information.
"We believe there is minimal risk to our customers given the nature of the information involved," Dell stated in the email, attempting to downplay the breach's impact by suggesting that customer addresses are not considered "highly sensitive" data.
The threat actor explained that he registered with various names on a specific Dell portal as a "partner." After having his partner accounts approved by Dell, the individual brute-forced customer service tags, composed of seven digits of numbers and consonants. He mentioned that any type of partner could access the portal he gained entry to.
"I sent over 5,000 requests per minute to this page containing sensitive information. Believe it or not, I continued this for nearly three weeks, and Dell failed to detect anything. Nearly 50 million requests... After acquiring what I needed, I sent multiple emails to Dell to report the vulnerability. It took them almost a week to address it," stated the threat actor to TechCrunch.
Menelik, who shared screenshots of the emails he sent in mid-April, indicated that he stopped scraping at one point and did not obtain the entire customer database. A Dell spokesperson confirmed receiving the threat actor's emails.
The threat actor listed the stolen Dell customer database on a well-known hacking forum, with the forum listing initially reported by Daily Dark Web.
TechCrunch authenticated the legitimacy of the threat actor's possession of Dell customer data by sharing a few names and service tags of customers who received Dell's breach notification email. The threat actor revealed how he managed to find personal information by cross-referencing stolen records. Dell has not disclosed the identities behind the physical addresses.
When TechCrunch questioned Dell based on the threat actor's claims, a Dell spokesperson mentioned that the company was already aware of and investigating the incident before receiving the threat actor's email, without providing evidence. Dell emphasized that the threat actor is a criminal and law enforcement has been notified, refraining from sharing details that could jeopardize ongoing investigations.
