Dell Says That Users' Passwords Were Not Leaked During Breach, but It Might Be Wise to Change Them Anyway
People tend to assume that small companies that have neither the human nor the financial resources to correctly secure their systems are the only organizations that fall victims to cyberattacks. This, as Amazon demonstrated last week, isn't true.
When attacks on large technology giants inevitably happen, many assume that because the said giants have armies of lawyers, PR and marketing people, the response is prompt, efficient, and transparent. As Amazon also demonstrated last week, this isn't true, either.
Yesterday, Dell admitted that it too has been attacked by cybercriminals. But how did the hardware manufacturer fare, and how did its response compare to Amazon's?
Hackers infiltrated Dell's network on November 9th
In a press release accompanied by an FAQ page, Dell told the public that on November 9, its sysadmins noticed that someone was breaking into the hardware vendor's systems. They immediately stopped the attack, contacted law enforcement, and started an investigation.
Dell didn't say how the attackers got in, but it noted that their goal was to steal customer data from the company's official website which many people use for buying hardware and getting information from the support forums.
Dell: We think your information is safe, but you should change your password just in case
According to the press release, credit card details were in a database that the crooks couldn't access. The only thing they could steal was a database with the names, email addresses, and hashed passwords of Dell.com users, but crucially, Dell says that there's no evidence of any information getting leaked.
This is all good news. So far, the investigation suggests that the crooks left empty-handed, and even if that's not the case, at least the passwords are hashed, which, as Dell explains, should mean that they are unusable.
As we have mentioned in the past, however, this is not always the case. Weaker hashing algorithms can be broken, and the potential absence of cryptographic salts makes an attack even more feasible.
Dell did explain that its hashing mechanism has been validated by "an expert third-party firm", but it didn't say which algorithm it used, and it mentioned nothing about salting. This is not exactly the level of transparency some people have been hoping for, which is all the more concerning considering the type of mitigation measures the hardware business proceeded to take.
"Out of an abundance of caution" (a phrase we see fairly often in data breach notification letters), Dell reset all Dell.com account passwords. The next time you try to log in, you'll need to go through a "multi-step authentication process" before you can regain access to your account, and if you have reused your Dell.com password on another website, the PC vendor recommends you go there and change it.
Considering the fact that, for all we know, no login data was actually stolen, saying that Dell didn't protect users' passwords properly would be nothing more than speculation. That said, when you have a global password reset on a service that has been targeted by cybercriminals, speculation is bound to grow, especially if some of the details remain unclear.
The question of whether Dell did a better job than Amazon at handling the attack is for you to answer.