Dell API abused to steal 49 million customer records in data breach

The threat actor behind the recent Dell data breach revealed they scraped information of 49 million customer records using an partner portal API they accessed as a fake company.

Yesterday, BleepingComputer reported that Dell had begun to send notifications warning customers that their personal data was stolen in a data breach.

This data breach contained customer order data, including warranty information, service tags, customer names, installed locations, customer numbers, and order numbers.

A threat actor known as Menelik put the data up for sale on the Breached hacking forum on April 28th, with the moderators soon taking down the post. 

Menelik told BleepingComputer this morning they were able to steal the data after discovering a portal for partners, resellers, and retailers that could be used to look up order information.

Menelik says he could access the portal by registering multiple accounts under fake company names and had access within two days without verification.

"It is very easy to register as a Partner. You just fill an application form," Menelik told BleepingComputer.

"You enter company details, reason you want to become a partner, and then they just approve you, and give access to this "authorized" portal. I just created my own accounts in this way. Whole process takes 24-48 hours."

Once they gained access to the portal, Menelik told BleepingComputer they had created a program that generated 7-digit service tags and submitted them to the portal page starting in March to scrape the returned information.

As the portal reportedly did not include any rate limiting, the threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.

Menelik says the stolen customer records include the following hardware breakdown:

• Monitors: 22,406,133
• Alienware Notebooks: 447,315
• Chromebooks: 198,713
• Inspiron Notebooks: 11,257,567
• Inspiron Desktops: 1,731,767
• Latitude Laptops: 4,130,510 
• Optiplex: 5,177,626
• Poweredge: 783,575
• Precision Desktops: 798,018
• Precision Notebooks: 486,244
• Vostro Notebooks: 148,087
• Vostro Desktops: 37,427
• Xps Notebooks: 1,045,302
• XPS/Alienware desktops: 399,695

The threat actors said they emailed Dell on April 12th and 14th to report the bug to their security team, sharing the email with BleepingComputer. However, the threat actor admittedly harvested 49 million records before contacting the company.

The threat actor says Dell never replied to the emails and didn't fix the bug until approximately two weeks later, around the time the stolen data was first put up for sale on the Breach Forums hacking forum.

Dell confirmed to BleepingComputer they received the threat actor's emails but declined to answer any further questions, as they say the incident has become an active law enforcement investigation.

However, the company claims they had already detected the activity before receiving the threat actor's email.

"Let's keep in mind, this threat actor is a criminal and we have notified law enforcement," Dell told BleepingComputer.

"We are not disclosing any information that could compromise the integrity of our ongoing investigation or any investigations by law enforcement."

"Prior to receiving the threat actor's email, Dell was already aware of and investigating the incident, implementing our response procedures and taking containment steps. We have also engaged a third-party forensics firm to investigate."

TechCrunch first reported Menelik’s use of this API to scrape Dell customer data.

APIs increasingly abused in data breaches

Easy-to-access APIs have become a massive weakness for companies in recent years, with threat actors abusing them to scrape sensitive data and sell them to other threat actors.

In 2021, threat actors abused a Facebook API bug to link phone numbers to over 500 million accounts. This data was leaked almost for free on a hacking forum, only requiring an account and paying $2 to download it.

Later that year, in December, threat actors exploited a Twitter API bug to link millions of phone numbers and email addresses to Twitter accounts, which were then sold on hacking forums.

More recently, a Trello API flaw was exploited last year to link an email address to 15 million accounts, which were, once again, put up for sale on a hacking forum. The data was later shared with Have I Been Pwned to issue notifications to those exposed in the breach.

While all of these incidents involved scraping of data, they were allowed due to the ease of access to APIs and the lack of proper rate limiting for the number of requests that can be made per second from the same host.