Dell hacker that stole 49 million customer records speaks out
In a recent revelation, a threat actor claims to have accessed and stolen 49 million Dell customer records by exploiting vulnerabilities in the company's online portal. The breach, which Dell attempted to downplay in an email to its customers, included sensitive personal information such as names, physical addresses, and Dell order details.
Speaking to a popular news outlet, the threat actor, who goes by the name Menelik, explained that he brute-forced his way into a company portal and scraped customer data directly from Dell's servers. Menelik revealed that he registered with multiple names as a "partner" on a particular Dell portal, which gave him access to sensitive customer information.
"I sent more than 5,000 requests per minute to this page that contains sensitive information. Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up," Menelik revealed.
Menelik further disclosed that he ceased scraping data at one point and did not obtain the complete database of customer information. He shared screenshots of emails sent to Dell in mid-April, notifying them of the vulnerability. It took Dell nearly a week to patch up the security flaw.
The stolen database of Dell customers' data was listed on a well-known hacking forum, as reported by Daily Dark Web. The news outlet confirmed the legitimacy of the stolen data by cross-referencing a handful of names and service tags of customers who received breach notification emails from Dell.
Responding to the revelations by the hacker, an unnamed company spokesperson claimed that Dell was already investigating the incident before receiving Menelik's email and had implemented response procedures and containment steps. However, Dell did not provide evidence to support this claim.
"Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement. We are not disclosing any information that could compromise the integrity of our ongoing investigation or any investigations by law enforcement," Dell wrote.