A threat actor claiming to be behind the recent Dell data breach has said he managed to steal the data of 49 million customers by brute-forceing a corporate portal and milking it for nearly three weeks.
Dell issued a statement saying there is no “significant risk to our customers.” However, the stolen data included names and mailing addresses, among other data related to purchases of Dell products.
The hacker, known as Menelik, told the story TechCrunch exactly how he managed to extract such a huge amount of data without being noticed.
Lurk
Menelik set up a number of partner accounts within the Dell Company Portal, which, once approved, allowed the hacker to brute force the customer service tags and gain access to the data. The hacker “sent more than 5,000 requests per minute to this page containing sensitive information.”
“Believe me or not, I kept doing this for almost three weeks and Dell didn’t notice a thing. Nearly 50 million requests… After I thought I had enough data, I sent several emails to Dell reporting the vulnerability. It took them almost a week to resolve everything,” Menelik said.
Dell confirmed this TechCrunch that they had received an email notification of the hacker’s vulnerability, and a company spokesperson stated that “this threat actor is a criminal and we have notified law enforcement. We will not disclose any information that could compromise the integrity of our ongoing investigation or investigations by law enforcement authorities.”
It’s possible that customers who weren’t affected by the breach were incorrectly notified that their data was stolen TechCrunch provided Menelik with names and service tags of a number of customers to verify against the database (with their permission), and while some were easy to find, others were not listed at all.