\n<\/p>\n
The person who claims to have 49 million Dell customer records told TechCrunch that he brute-forced an online company portal and scraped customer data, including physical addresses, directly from Dell\u2019s servers.\u00a0<\/p>\n
TechCrunch verified that some of the scraped data matches the personal information of Dell customers.<\/p>\n
On Thursday, Dell sent an email to customers saying the computer maker had experienced a data breach<\/a> that included customer names, physical addresses and Dell order information.\u00a0<\/p>\n \u201cWe believe there is not a significant risk to our customers given the type of information involved,\u201d Dell wrote in the email, in an attempt to downplay the impact of the breach, implying it does not consider customer addresses to be \u201chighly sensitive\u201d information.<\/p>\n The threat actor said he registered with several different names on a particular Dell portal as a \u201cpartner.\u201d A partner, he said, refers to a company that resells Dell products or services. After Dell approved his partner accounts, Menelik said he brute-forced customer service tags, which are made of seven digits of only numbers and consonants. He also said that \u201cany kind of partner\u201d could access the portal he was granted access to.\u00a0<\/p>\n \u201c[I] sent more than 5,000 requests per minute to this page that contains sensitive information. Believe me or not, I kept doing this for nearly 3 weeks and Dell did notice anything. Nearly 50 Million requests\u2026After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,\u201d Menelik told TechCrunch.\u00a0<\/p>\n Menelik, who shared screenshots of the several emails he sent in mid-April, also said that at some point he stopped scraping and did not obtain the complete database of customer data. A Dell spokesperson confirmed to TechCrunch that the company received the threat actor\u2019s emails.<\/p>\n