A large and lengthy data breach put some 56 million credit cards at risk, Home Depot revealed back in September. Now, the largest home improvement retailer in the world says that it also exposed nearly the same amount of customer email addresses.
According to a statement from Home Depot, further investigation has determined that files containing approximately 53 million email address were also stolen during the breach, which was carried out from April to September.
Home Depot says that the hackers found their way in via a third-party vendor.
In addition to details previously released, the investigation to date has determined the following:
Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
In addition to the previously disclosed payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information. The company is notifying affected customers in the U.S. and Canada.
In trying to explain how the breach wasn't discovered or fixed for several months, Home Depot has said that the custom malware used was brand new, and specifically designed to fool antivirus software.
It was a pretty big hack – the biggest since Target fell victim last year. If you shop at Home Depot, especially if you shopped during that window, just keep an eye out for strange activity.
Image via Wikimedia Commons