Security Experts:

Dell Resets User Passwords Following Data Breach

Dell informed customers on Wednesday that the passwords for their Dell.com accounts have been reset after the company recently discovered unauthorized access on its network.

According to the tech giant, the breach was detected and neutralized on November 9. The attacker apparently attempted to extract Dell.com user information, limited to names, email addresses and hashed passwords.

Dell.com allows users to purchase Dell devices, services and solutions, and it hosts support services for the company’s products.

Dell’s investigation so far “found no conclusive evidence” that data was actually stolen, but it admitted that at least some of the information could have been exfiltrated. The company claimed credit card and other sensitive information was not exposed.

However, as a precaution, Dell.com account passwords are being reset and users have been advised to change passwords for other accounts that use the same one. The password reset procedure will also affect the Premier, Global Portal, and support.dell.com (Esupport) online services. DellEMC.com and DellTechnologies.com accounts are not impacted, and Dell says the breach has not affected any of its products or services.

“Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation. Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement,” the company said in a press release.

Dell has not shared any information on how many users had their information exposed. 

“First, Dell states that the attackers attempted to extract '...information, which was limited to names, email addresses and hashed passwords.' They later state that 'no sensitive information was targeted'. In stressing that the information lost was 'limited' to those name, email, and hashed password, and that those items are not sensitive, Dell seems to downplay the extent of the breach,” Sumit Agarwal, co-founder and COO at Shape Security, told SecurityWeek.

“However, in security circles, email and hashed passwords are also known as the keys to the kingdom in terms of giving criminals full access to other accounts belonging to a given user who may have re-used those credentials information elsewhere. It is highly likely that criminals will be able to discover at least some of stolen passwords, unless Dell had in place, particularly sophisticated hashing techniques. Historically, this has not been the case for many companies who were similarly breached, which is why more than 10M username/password pairs per day were stolen, on average, throughout 2017,” Agarwal added.

Related: Dell Patches Vulnerability in Pre-installed SupportAssist Utility

Related: Patches Released for Flaws Affecting Dell EMC, VMware Products

Related: Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.