Threat actor says he scraped 49M Dell customer addresses before the company found out

by with No Comment Tech

The silhouette of Michael Dell, founder and chief executive officer of Dell Inc.. (Matthew Busch/Bloomberg via Getty Images)

Image Credits: Matthew Busch/Bloomberg / Getty Images

The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell’s servers. 

TechCrunch verified that some of the scraped data matches the personal information of Dell customers.

On Thursday, Dell sent an email to customers saying the computer maker had experienced a data breach that included customer names, physical addresses and Dell order information. 

“We believe there is not a significant risk to our customers given the type of information involved,” Dell wrote in the email, in an attempt to downplay the impact of the breach, implying it does not consider customer addresses to be “highly sensitive” information.

The threat actor said he registered with several different names on a particular Dell portal as a “partner.” A partner, he said, refers to a company that resells Dell products or services. After Dell approved his partner accounts, Menelik said he brute-forced customer service tags, which are made of seven digits of only numbers and consonants. He also said that “any kind of partner” could access the portal he was granted access to. 

“[I] sent more than 5,000 requests per minute to this page that contains sensitive information. Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik told TechCrunch. 

Menelik, who shared screenshots of the several emails he sent in mid-April, also said that at some point he stopped scraping and did not obtain the complete database of customer data. A Dell spokesperson confirmed to TechCrunch that the company received the threat actor’s emails.

The threat actor listed the stolen database of Dell customers’ data on a well known hacking forum. The forum listing was first reported by Daily Dark Web.

TechCrunch confirmed that the threat actor has legitimate Dell customer data by sharing a handful of names and service tags of customers — with their permission — who received the breach notification email from Dell. In one case, the threat actor found the personal information of a customer by searching the stolen records for his name. In another case, he was able to find the corresponding record of another victim by searching for the specific hardware service tag from an order she made. 

In other cases, Menelik could not find the information, and said that he doesn’t know how Dell identified the impacted customers. “Judging by checking the names you gave, it looks like they sent this mail to customers who are not affected,” the threat actor said. 

Dell has not said who the physical addresses belong to. TechCrunch’s analysis of a sample of scraped data shows that the addresses appear to relate to the original purchaser of the Dell equipment, such as a business purchasing an item for a remote employee. In the case of consumers buying directly from Dell, TechCrunch found many of those physical addresses also correlate to the consumer’s home address or other location where they had the item delivered.

Dell did not dispute our findings when reached for comment.

When TechCrunch sent a series of specific questions to Dell based on what the threat actor said, an unnamed company spokesperson said that “prior to receiving the threat actor’s email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps.” Dell did not provide evidence for this claim.

“Let’s keep in mind, this threat actor is a criminal and we have notified law enforcement. We are not disclosing any information that could compromise the integrity of our ongoing investigation or any investigations by law enforcement,” wrote the spokesperson.

Threat actor scraped Dell support tickets, including customer phone numbers

by with No Comment Tech

A view of the logo of the American company Dell at the Mobile World Congress 2024. (Photo by Ramon Costa/SOPA Images/LightRocket via Getty Images)

Image Credits: Ramon Costa/SOPA Images/LightRocket / Getty Images

The person who claimed to have stolen the physical addresses of 49 million Dell customers appears to have taken more data from a different Dell portal, TechCrunch has learned.

The newly compromised data includes names, phone numbers and email addresses of Dell customers. This personal data is contained in customer “service reports,” which also include information on replacement hardware and parts, comments from on-site engineers, dispatch numbers and, in some cases, diagnostic logs uploaded from the customer’s computer. 

Several reports seen by TechCrunch contain pictures apparently taken by customers and uploaded to Dell seeking technical support. Some of these pictures contain metadata revealing the precise GPS coordinates of the location where the customer took the photos, according to a sample of the scraped data obtained by TechCrunch. 

TechCrunch has confirmed that the customers’ personal information appears genuine.  

This is the second disclosure of exposed Dell customer data in as many weeks. Last week, Dell notified customers that it had experienced a data breach, saying in an email that the technology giant was investigating “an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell.” 

The stolen data included customer names and physical addresses, as well as less sensitive data, such as “Dell hardware and order information, including service tag, item description, date of order and related warranty information.” 

Dell downplayed the breach at the time, saying that the spill of customer addresses did not pose “a significant risk to our customers,” and that the stolen information did not include “any highly sensitive customer information,” such as email addresses and phone numbers.

A person who goes by the online handle Menelik claimed responsibility for both data breaches. In an interview with TechCrunch, Menelik provided a sample of the data he stole, which allowed TechCrunch to verify that the data was legitimate. Menelik also provided copies of emails he sent to Dell, and the company confirmed to TechCrunch that it received an email about the data breach from Menelik.

Now, it appears Menelik found another flaw in another Dell portal, which allowed him to scrape more customer data.

“I did find something for email and phone number data,” Menelik told TechCrunch. “But I am not going to do anything with it yet. I want to see how Dell responds to current topic. [sic]”

A day after this article was published, an unnamed Dell spokesperson told TechCrunch that the company is aware of the reports and is investigating. 

Menelik said that he had scraped the data of around 30,000 U.S. customers, and said that the flaws he is exploiting are similar to the bugs that allowed him to obtain the first round of 49 million customer records. But this second vulnerability prevents him from collecting the data as quickly as during the first breach.  

As TechCrunch first reported, in the first breach Menelik said he was able to scrape Dell customers’ data from a portal where he registered several accounts as a “partner,” meaning he pretended to run companies that resells Dell products or services. Once Dell approved his requests, Menelik said he was able to brute-force customer service tags, which are made of seven digits of only numbers and consonants. 

Menelik posted an advertisement on a well-known hacking forum attempting to sell the data. As of the writing of this article, the listing has been deleted, and Menelik said it’s because he sold the data, although he declined to say for how much. 

Asked what he plans to do with the new data, Menelik said that he hasn’t decided yet. 

Given that some of the scraped data contains personal information on customers in the European Union, TechCrunch reached out to Ireland’s national data protection authority, which did not immediately respond to a request for comment.

UPDATE, Wednesday May 15, 2:45 p.m. ET: This story was updated to include Dell’s comment.

Contact Us

Do you know more about this Dell hack? Or similar data breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.