Credit where it's due: this is excellent reporting by @BleepingComputer. So many lessons we should already have learned in here.
Menelik told BleepingComputer this morning they were able to steal the data after discovering a portal for partners, resellers, and retailers that could be used to look up order information.
Menelik says he could access the portal by registering multiple accounts under fake company names and had access within two days without verification.
"It is very easy to register as a Partner. You just fill an application form," Menelik told BleepingComputer.
This was someone expecting only intended eyes to look at this application, even though it was discoverable on the internet.> Once they gained access to the portal, Menelik told BleepingComputer they had created a program that generated 7-digit service tags and submitted them to the portal page starting in March to scrape the returned information.
As the portal reportedly did not include any rate limiting, the threat actor claims they could harvest the information of 49 million customer records by generating 5,000 requests per minute for three weeks, without Dell blocking the attempts.
So not only did this API have no rate-limiting, it also had no access control to prevent Partner accounts from viewing each others' data.
This is the way Dell does business. How safe do you feel about all your business partners?
