Home Depot Hackers Got in Via a Vendor, Took E-Mails, Too

Photograph by Daniel Acker/Bloomberg

No one expected the news to get better on the Home Depot hack, and it hasn’t. Providing further details on Thursday of the playbook that hackers used to break into its systems, Home Depot disclosed that hackers stole 53 million e-mail addresses, on top of the data for 56 million credit cards.

The hackers used stolen credentials from a third-party vendor to enter the retailer’s network, Home Depot said in a press release. A third-party vendor was also the point of entry in last year’s breach at Target, which exposed some 40 million cards.

The hackers navigated Home Depot’s system to get to its self-checkout machines in the U.S. and Canada and then deployed malicious software to steal card numbers, the statement said.

The cyber thieves also took files containing 53 million e-mail addresses, though they did not obtain passwords or other sensitive personal information, Home Depot said. The company warned customers to be on the alert for phishing e-mails—fake messages designed to trick the receiver into providing personal information.

Home Depot confirmed a breach of credit-card information at its stores on Sept. 8, six days after security blogger Brian Krebs reported signs of a hack.

The Wall Street Journal reported that the hackers maneuvered from the periphery of the company’s network to deep inside it by exploiting a vulnerability in a Microsoft Windows operating system that was eventually patched after the breach was in progress. The hackers went for the 7,500 self-checkout lanes because those machines’ reference names in the computer system clearly identified them as payment terminals, while some 70,000 standard registers were identified only by number, according to the Journal.

Home Depot has 2,266 retail stores in the U.S., Puerto Rico, the U.S. Virgin Islands, Guam, Canada, and Mexico.

Before it's here, it's on the Bloomberg Terminal.