What Happened
In May 2024, Dell Technologies notified approximately 49 million customers that their personal information and purchase records had been stolen after a threat actor systematically scraped data from a Dell partner portal API. The threat actor, operating under the name Menelik, registered fake partner accounts and used automated API requests to extract customer records over a period of weeks.
How They Did It
The attacker exploited weaknesses in Dell’s partner portal registration and API controls. The registration process did not adequately verify company identity, allowing the threat actor to register multiple fake partner accounts. Using these accounts, the attacker sent approximately 5,000 API requests per minute over nearly three weeks to extract customer purchase data. Dell’s API did not enforce effective rate limiting or anomaly detection that would have flagged the massive volume of automated requests. The attacker systematically enumerated customer records by cycling through service tag numbers.
The threat actor claimed to have contacted Dell about the vulnerability before listing the data for sale, stating that Dell’s security team did not respond for approximately two weeks.
Exposed Data
The breach exposed customer names and full names associated with Dell purchases, physical shipping and billing addresses, Dell service tags (unique hardware identifiers), order information including date, product description, and warranty details, and hardware details such as system type, model, and specifications.
Dell stated that the compromised data did not include financial information, payment card details, email addresses, or phone numbers.
Why It Matters
While the exposed data does not include financial information, the combination of name, address, and specific hardware ownership creates risks. Attackers can craft convincing phishing emails referencing specific Dell products the victim owns, such as “Your Dell XPS 15 warranty is expiring.” Knowledge of high-value hardware at specific addresses creates physical security concerns. Hardware details can be used to impersonate Dell support for social engineering.
Timeline
The threat actor began scraping the Dell partner portal API in approximately March 2024. About 49 million records were extracted over roughly three weeks in April 2024. On April 28, 2024, the threat actor Menelik listed the data for sale on Breach Forums. Dell sent breach notification emails to affected customers on May 9, 2024, and confirmed the incident while stating the investigation was ongoing.
Key Lessons
API security requires rate limiting, anomaly detection, and monitoring. 5,000 requests per minute for weeks should trigger automated blocks. Partner portal registration must verify organizational identity, as allowing unverified account creation provides attackers with legitimate access. Service tag enumeration is a known attack pattern, and APIs should not allow sequential or brute-force enumeration of records. Responsible disclosure responsiveness matters, as delayed response to vulnerability reports increases the likelihood of public exploitation.