A hacker who calls himself Menelik has taken credit for not one but two recent data breaches against PC maker Dell. In the first attack as reported by TechCrunch, he claims to have accessed a Dell online portal through which he stole customer names, physical addresses, and order information. Staging a second attack just days later on a different portal, Menelik told TechCrunch that he made off with the names, phone numbers, and email addresses of Dell customers.
To perform the first attack, which reportedly affected 49 million Dell customers, the hacker said that he registered with different names for Dell resellers on a specific portal. After Dell approved these partner accounts, Menelik said he brute-forced the seven-digit customer service tags. “Any kind of partner” could access the portal in the same way, he claimed.
Also: The best VPN services (and how to choose the right one for you)
“[I] sent more than 5,000 requests per minute to this page that contains sensitive information,” Menelik told TechCrunch. “Believe me or not, I kept doing this for nearly 3 weeks and Dell did not notice anything. Nearly 50 Million requests…After I thought I got enough data, I sent multiple emails to Dell and notified the vulnerability. It took them nearly a week to patch it all up.”
Dell confirmed to TechCrunch it had been hit by a data breach and that Menelik had sent emails to the company taking credit for the attack. Dell didn’t reveal whose physical addresses were scraped. But TechCrunch found that some addresses were for businesses buying products for remote workers while many were for consumers ordering products at home.
Also: 6 simple cybersecurity rules you can apply now
And what happened to the stolen records? The same thing that usually happens. Menelik said he posted an ad on a dark web hacking forum trying to sell the data. In a follow-up, the hacker told TechCrunch that he sold the data but didn’t reveal the price tag.
To pull off the second attack, Menelik targeted another portal from which he grabbed not just customer names, phone numbers, and email addresses, but also Dell service reports. Such reports contain details on replacement hardware, notes from on-site engineers, dispatch numbers, and diagnostic logs uploaded from the customer’s PC.
Menelik said he captured data for around 30,000 Dell customers in the US through the second attack. The flaws he exploited were similar to those in the first attack. This time, however, he couldn’t steal the data as quickly as he did during the initial breach. Asked by TechCrunch what he aims to do with this second batch of data, the hacker said he didn’t yet know.
We hear about data breaches, cyberattacks, and stolen customer data regularly. And it’s always the same story: companies fail to effectively secure their infrastructure, data centers, and databases or patch critical security flaws; savvy hackers discover a vulnerability, giving them the keys to steal sensitive information.
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
Since we can’t depend on companies to protect us, what can we do to protect ourselves? There are a few steps you can take both before and after a breach:
- Set up a strong password – Yes, I know you’ve heard this before. But a strong and secure password is one of the first lines of defense. Creating and remembering a complex and unique password for every account is virtually impossible. That’s why you should turn to a good password manager to do the hard work. And as more sites and services support passkeys, that’s another option to consider. If your account has been affected by a data breach, changing your password is the first action you’ll want to take. Just ensure it’s a strong one that can’t easily be hacked.
- Use two-factor authentication – Any attacker who brute-forces one of your passwords can now easily sign into the associated account, but not if you use the right type of two-factor authentication (2FA). With 2FA, your account remains off-limits unless you provide the correct confirmation. Your best bet is to use an authenticator app or a physical security key, as both are stronger than SMS authentication. Turning on 2FA is another action to take following a breach. Many major websites now support 2FA, so you should be able to set this technique up without too much effort.
- Watch out for scams – The Dell hacker grabbed names, phone numbers, email addresses, and physical addresses, and then sold them on the dark web. On a practical level, you can’t readily change any of those. That’s why you need to be alert for criminals who try to use your phone number or email address to run spoofing and phishing scams.
- Monitor your credit – Add up all the data stolen and identity theft becomes a real possibility. To protect against this threat, you’ll want to check your credit reports across the three major services: Experian, Equifax, and TransUnion. In some cases, you may have to freeze your credit to ensure no one can open new accounts or take out loans in your name.