You are here
Home Depot says 53m email addresses taken in breach
[WASHINGTON] Cybercriminals snatched 53 million email addresses of Home Depot customers in what has been touted as one of the largest data breaches on record, the US retail giant said on Thursday.
Hackers used a third-party vendor's user name and password to break into the computer network of the home improvement chain, it said, having previously admitted that a trove of credit card data was also stolen in the huge hack earlier this year.
Although the stolen email information did not contain passwords or sensitive personal information, the company said hackers could deliver bogus messages to trick people into divulging their data, a scheme known as "phishing." "Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails," the company said in a statement.
The update came weeks after Home Depot disclosed the data breach that leaked some 56 million credit card numbers between April and September.
The hackers managed to get stolen credentials from a vendor, which did not immediately provide direct access to the company's point-of-sale devices, Home Deport said.
But they later "acquired elevated rights" that allowed them deeper access that enabled them to deploy "unique, custom-built malware on its self-checkout systems in the US and Canada," the statement said, without elaborating.
The investigation by the company with law enforcement and security experts previously concluded that the malware "had not been seen in any prior attacks and was designed to evade detection by antivirus software." The breach follows a similar case involving US retail chain Target, which disclosed last December that hackers gained access to credit card data for 40 million customers and to additional personal and identification information for 70 million others.
Home Depot said the matter is still under investigation, and that it has eliminated the malware from its systems. It is also offering credit monitoring to customers who might be affected by the breach.