The threat actor said he registered with several different names on a particular Dell portal as a “partner.” A partner, he said, refers to a company that resells #Dell products or services. After Dell approved his partner accounts, Menelik said he brute-forced customer service tags, which are made of seven digits of only numbers and consonants. He also said that “any kind of partner” could access the portal he was granted access to.
“[I] sent more than 5,000 requests per minute to this page that contains sensitive information. Believe me or not, I kept doing this for nearly 3 weeks and Dell did notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up,” Menelik told #TechCrunch.
#infosec #breach
https://techcrunch.com/2024/05/10/threat-actor-scraped-49m-dell-customer-addresses-before-the-company-found-out/