49 Million Dell Customer Records Stolen as Hackers Abuse Poorly Secured Partner API

Hackers were able to steal about 49 million customer records from Dell by merely registering as a company partner, which granted access to private order information.

The hackers boasted about their theft on an underground forum, claiming that they merely had to fill out a partner application with Dell and wait about 48 hours to be given access. Posing as a fictitious company, the attackers were then given access to a partner portal API that was open to scraping. They scraped the portal simply by submitting seven-digit service tags sequentially, requests for which did not appear to have any rate limits or added security placed on them.

Hackers take advantage of lack of rate limits

The impacted information involves orders placed with Dell from 2017 to 2024. The hackers said that they were able to kick out about 5,000 requests per minute for three straight weeks, without any intervention or interruption by Dell during this process. The scraping does not appear to have been detected by Dell until the threat actors emailed them about it after getting their fill of records, also emailing members of the media and posting about their exploits on a commonly-used underground forum. The vulnerability continued to be exploitable after this for about two more weeks.

Dell has issued a statement indicating that no customer financial or payment was included, nor did the order summaries include phone numbers or email addresses. The orders did include names and physical mailing addresses, however, along with less sensitive information such as order numbers and service tags. Orders of monitors, which comprised about 22.5 million of the stolen records, also included the item serial number.

Incident highlights common API security issues

Overly permissive web APIs have been an ongoing security issue since they began to become common many years ago, but scraping technique has stepped up significantly within the last few years between the improved technology and methods introduced in the AI data gathering era and an explosion in bot networks designed for this purpose. 2021 is a particular starting point in terms of numbers of records involved in these incidents, with LinkedIn getting hit for the contact data of 700 million users and Facebook having the phone numbers of about 500 million accounts stolen. Facebook has since had similar issues, with a 2024 attack gathering profile data from about 1.2 billion accounts. Another frequent flier has been Twitter (now X) which had its API hit in 2021 for millions of private phone numbers and email addresses linked to accounts, and again in 2023 in an incident that built off the 2021 breach to collect similar information about some 200 million accounts.

Other noteworthy incidents include a 2024 attack on an unauthenticated Trello endpoint that leaked about 15 million account details, and similar attacks on Optus in 2022 (nine million records) and Duolingo in 2023 (2.6 million records). In all cases these incidents involved either some misconfiguration or overly permissive access to an API used for business purposes, and in most cases a failure to rate limit requests was key to enabling the attacks to take place.