Cyberthieves used a “third-party vendor’s user name and password” to break into Home Depot’s network and steal 53 million email addresses in the breach that occurred earlier this year, the nation’s largest home-improvement store announced Thursday in an update.
“These files did not contain passwords, payment card information or other sensitive personal information,” Home Depot said. “The company is notifying affected customers in the U.S. and Canada.”
But it’s important for Home Depot customers to be on guard against phishing scams, which involve emails designed to trick customers into providing personal information. The emails may be disguised as coming from a legitimate source, such as a bank or retailers.
As previously disclosed, the malware used in the attack “had not been seen in any prior attacks and was designed to evade detection by antivirus software,” according to Home Depot’s security partners. The malware is believed to have been present between April and September 2014.
Home Depot said Thursday that hackers acquired “elevated rights” that allowed them to navigate portions of Home Depot’s network and to “deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.”
In September, Home Depot finally put a number on the scope and reach of the data breach that hit its U.S. and Canadian networks — approximately 56 million unique payment cards.
Home Depot has said it has implemented enhanced encryption of payment data in all U.S. stores.
“The new security protection locks down payment card data, taking raw payment card information and scrambling it to make it unreadable and virtually useless to hackers,” Home Depot said.
Home Depot’s encryption technology, provided by Voltage Security, Inc., has been tested and validated by two independent IT security firms, the retailer said.