A hacker with the pseudonym Menelik has admitted to stealing the data of 49 million Dell customers—we told you about that hack last week. But now he says he’s also grabbed a bunch more.
Here’s how he did it. In today’s SB Blogwatch, we scrape the bottom of the barrel.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Memechasing.
What’s the craic? TechCrunch’s Lorenzo Franceschi-Bicchierai reports: Threat actor scraped Dell support tickets
“Dell downplayed the breach”
The person who claimed to have stolen the physical addresses of 49 million Dell customers appears to have taken more data from a different Dell portal. [It] includes names, phone numbers … email addresses of Dell customers [and] metadata revealing the precise GPS coordinates.
…
This is the second disclosure of exposed Dell customer data in as many weeks. Last week, … Dell downplayed the breach, saying that the spill of customer addresses did not pose “a significant risk to our customers,” and that the stolen information did not include “any highly sensitive customer information,” such as email addresses and phone numbers.
Who dunnit? And how? Here’s Lance Whitney, for ZD: Hacker claims to have stolen Dell customer data
“Watch out for scams”
A hacker who calls himself Menelik has taken credit for not one but two recent data breaches against PC maker Dell. … To perform the first attack, which reportedly affected 49 million Dell customers, … he registered with different names for Dell resellers on a specific portal. After Dell approved these partner accounts, … he brute-forced the seven-digit customer service tags. … To pull off the second attack, Menelik targeted another portal.
…
We hear about data breaches, cyberattacks, and stolen customer data regularly. And it’s always the same story: companies fail to effectively secure their infrastructure, data centers, and databases or patch critical security flaws; savvy hackers discover a vulnerability, giving them the keys to steal sensitive information. … Watch out for scams.
Wait. What? Bleeping’s Lawrence Abrams explains: Dell API abused
“Massive weakness”
Menelik says he could access the portal by registering multiple accounts under fake company names and had access within two days without verification. “It is very easy to register as a Partner. You just fill an application form,” Menelik told [me], “And then they just approve you, and give access.”
…
As the portal reportedly did not include any rate limiting, the threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts. … Easy-to-access APIs have become a massive weakness for companies in recent years, with threat actors abusing them to scrape sensitive data and sell them.
It was so easy, it stretches the definition of “hack,” “breach” and “stolen.” So thinks cuu508:
It sounds like the customer data was not stolen but freely given away to anyone who asked.
Why does this keep happening? BoRegardless thinks Dell’s been “ignoring Basic DB Safety:”
We’ve had a decade of huge DB access by … hackers of all types. So why aren’t these large company systems locked down with advanced multi-factor authorization & constant monitoring to detect scraping?
Their business depends on their data, yet every week it is that same story over again. Could it be CEO emphasis on next quarter’s profits are more important than the business data safety costs?
Dell has been emailing affected customers. For example, TheTKS:
Checks email. Ah, ****. Yup, got the email. In French. Merde! I live in a country and province with French and English as official languages! Good thing (!?) I understand French well enough to get the gist of [it].
…
Dell: A company that can screw you multilingually.
Some say Dell has known about the bug since 2016! pinwirrie has used it for good, not evil:
I recently took advantage of that when shopping for a used Latitude on eBay: Find pic of service tag, pop it into Dell’s support site, and you get more detail on the system than appears in the item listing. Had known about this from owning a succession of Latitudes.
When will companies like Dell take security seriously? Never, according to cs702:
Ah, security. As always and as ever, an afterthought.
Meanwhile, at least sunderland56 sees a silver lining:
Good news, everyone! Finally, finally, someone is reading Dell support tickets.
Ah, the 1930s, when local government asked men not to kill their wives
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image source: Ashleigh Bennett (cc:by-nd; leveled and cropped)
Recent Articles By Author