Home Depot Hackers Used Self-Checkouts To Access 56M Credit/Debit Cards, 53M Email Addresses

We’re beginning to get a clearer picture of just what led to the massive Home Depot data breach discovered less than two months ago.

The Wall Street Journal reports that the hackers used infiltration tactics that mirrored those responsible for last year’s Target data breach that affected 40 million consumers.

Officials with Home Depot say the hackers accessed their systems with stolen credentials from a third-party vendor.

It’s believed that hackers then navigated Home Depot’s main computer network by exploiting a vulnerability in Microsoft’s operating system. From there the hackers were able operate as Home Depot employees with high-level permissions, the WSJ reports.

The hackers then targeted roughly 7,500 self-checkout machines at stores in the United States and Canada in order to deploy malicious software to steal the financial information.

On top of the 56 million credit and debit cards that were already revealed to have been compromised during the hack, Home Depot announced on Thursday that nearly 53 million e-mail addresses were also stolen.

The files containing the email addresses did not include passwords or other sensitive information, however customers should be on alert for phishing emails.

Home Depot officials say the hackers were able to avoid detection for five months by moving around the company’s system during regular business hours and implementing malware that erased its traces.

It’s believe that the attackers missed the company’s more than 70,000 standard cash registers because the mainline payment terminals are only identified by numbers.

Officials with Home Depot say the data breach could have continued much longer if hackers hadn’t put batches of stolen credit-card numbers up for sale on an online hacking forum.

Home Depot Chief Information Officer Matt Carey tells the WSJ that he was on vacation in Mexico when he was contacted by other executives about a suspicious credit card numbers for sale.

At the same time, executives at the company’s Atlanta headquarters were being contacted by Capital One Financial Corp. which had identified the store as the common thread linking the stolen cards.

The fourth day after the attack the company investigators found evidence of malware being deleted from a store computer. At that time the company was able to verify the breach but couldn’t be sure the attack was over.

Home Depot says that at the time of the attack they were putting the finishing touches on a 45-page playbook on how to respond to a data hack.

Home Depot Hackers Exposed 53 Million Email Addresses [The Wall Street Journal]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.