Evidence Shows That Nearly All U.S. Home Depots May Have Been Hit By Data Breach

While Home Depot has yet to confirm or deny whether it was indeed hit by a massive breach of its payment system, a look at the data for a huge batch of stolen credit cards that recently went up for sale on the black market seems to indicate that the hack could have hit nearly all Home Depot stores in the U.S.

Cybersecurity reporter Brian Krebs, who first broke the news of a possible Home Depot breach, has since looked at the location info (city, state, ZIP code) available for this cache of stolen card numbers and compared them to a list of address info for Home Depot stores.

“A comparison of the ZIP code data between the unique ZIPs represented on [the black market site], and those of the Home Depot stores shows a staggering 99.4 percent overlap,” writes Krebs.

To make sure that this wasn’t just a coincidence — after all, Home Depot is a national chain — he then spoke with Nicholas Weaver, a researcher at the International Computer Science Institute and at the University California, Berkeley, who explained that, “A 99+ percent overlap in ZIP codes strongly suggests that this source is from Home Depot.”

Of the approximately 2,200 Home Depot stores in the U.S., Krebs only found 127 who were not represented in the ZIP code data. However, since the cards for sale likely only represent a fraction of the total number that were stolen, it’s possible those stores were hit but were just not included in this batch.

For those that want to test his work, Krebs is making the source data available. Here are the ZIP codes for the stolen cards currently available on the black market; here are the ZIP codes for Home Depot stores in the U.S.

Bank sources are saying this breach could have begun as early as April or May of this year. Given the sheer number of Home Depot stores and the many months during which the theft might have been ongoing, this could end up being significantly larger than the Target breach from last holiday season, which only lasted a few weeks (though they were the busiest shopping weeks of the year).

Earlier today, Home Depot said it was still investigating the possibility of a breach but reminded customers that they would not be held liable for any fraudulent charges made to their cards.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.