A massive data breach at Dell has exposed the personal information of 49 million customers due to an exploited vulnerability in their partner portal API, BleepingComputer reports.
A threat actor, operating under the name “Menelik,” has claimed responsibility for the breach, revealing how they were able to access and scrape vast amounts of customer data over a three-week period.
Menelik created a fake company account to gain access to Dell’s partner portal API. They then exploited a lack of rate limiting in the API, allowing them to bombard it with thousands of requests per minute without being detected or blocked. This allowed them to harvest customer order data, including warranty information, service tags, names, locations, and customer numbers.
Menelik says the stolen customer records include the following hardware breakdown:
- Monitors: 22,406,133
- Alienware Notebooks: 447,315
- Chromebooks: 198,713
- Inspiron Notebooks: 11,257,567
- Inspiron Desktops: 1,731,767
- Latitude Laptops: 4,130,510
- Optiplex: 5,177,626
- Poweredge: 783,575
- Precision Desktops: 798,018
- Precision Notebooks: 486,244
- Vostro Notebooks: 148,087
- Vostro Desktops: 37,427
- Xps Notebooks: 1,045,302
- XPS/Alienware desktops: 399,695
Dell has acknowledged the breach and is currently investigating the full extent of the damage.
