02
Sep 14

Banks: Credit Card Breach at Home Depot

Multiple banks say they are seeing evidence that Home Depot stores may be the source of a massive new batch of stolen credit and debit cards that went on sale this morning in the cybercrime underground. Home Depot says that it is working with banks and law enforcement agencies to investigate reports of suspicious activity.

Contacted by this reporter about information shared from several financial institutions, Home Depot spokesperson Paula Drake confirmed that the company is investigating.

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”

There are signs that the perpetrators of this apparent breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others. The banks contacted by this reporter all purchased their customers’ cards from the same underground store — rescator[dot]cc — which on Sept. 2 moved two massive new batches of stolen cards onto the market.

A massive new batch of cards labeled "American Sanctions" and "European Sanctions" went on sale Tuesday, Sept. 2, 2014.

A massive new batch of cards labeled “American Sanctions” and “European Sanctions” went on sale Tuesday, Sept. 2, 2014.

In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”

It is not clear at this time how many stores may have been impacted, but preliminary analysis indicates the breach may extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico.

This is likely to be a fast-moving story with several updates as more information becomes available. Stay tuned.

Update: 1:50 p.m. ET: Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.

Tags: , , , , , , ,

305 comments

  1. Obviously, it isn’t safe to use a debit or credit care anywhere. Of course paper money can be counterfeit as well. But it seems as though it is a better option with much less risk.

    • Most credit cards I’ve ever had will simply take care of the fraudulent charges. There is no need for the consumer to worry. I’m not sure about debit cards though.

      • Super, I agree that the CC companies will reverse the charges. However, even when they do it doesn’t affect their profits, somebody has to pay and that somebody is all the people that have CCs issued by that bank. This kind of “I got my money back” thinking will just propagate the problem. As others have said we all need to check our statements. Most fraud is not for huge amounts its for smaller amounts that people don’t usually notice. The thieves frequently take a long view so that they can continue to use the cards over time.

      • With all due respect to Super, the idea of a criminal enterprise having my financial information doesn’t make me feel all comfy just because I won’t have to personally pay for their stolen stuff!

  2. I really can’t understand how the perpetrators essentially are known—but yet NO ONE can figure out what to do to prevent them from striking again…it’s literally dumfounding.

    Of course as the comment above says, you have to assume the possibility of your card being stolen at one point in time, but people also need to monitor their accounts more closely…I always side-eye people who don’t realize thousands has been stolen until months later. Don’t you check your accounts religiously?

    • We don’t actually know who did the break in.

      Consider an old fashioned jewelry heist:
      * 1-3 criminals break into some store and steal some jewelry.
      * an accomplice takes the loot to a fence
      * the fence then transfers the loot to another fence
      * that fence sells the loot to various pawn shops or something
      * you walk into a pawn shop and see an item that you suspect is stolen

      You can arrest the pawn shop proprietor, but that really doesn’t get you to the cat burglar.

      There’s a reason that police officers often didn’t just close pawn shops. It’s helpful to be able to monitor them and try to trace the goods going *into* the pawn shops.

      You can think of “rescator” as the pawn shop in the scenario I’m describing.

      It’s possible that there are fewer middle-men in the real scenario (or in classic scenarios), but it’s also possible there are more. Also, unlike the scenario, it’s likely that some of these people have never met in person, so “staking” them out isn’t quite as easy as it was in the old days.

      • STILL — “rescator” and other sites like this should be SHUT DOWN. They should NOT be allowed to operate, as they are facilitating the crime and should also be held liable. This kind of thing could be stopped, but someone has to take the initiative and shut these sites down and prosecute their owners…..

      • Very well and conceptually explained Timeless!!

    • Especially with credit cards. Do people not wonder why their bills are so high all of a sudden?

      • It’s possible the cards were stolen months ago, but not being sold/used until now.

        • This is true, but I am referring to just in general and not specific to this breach. Some people don’t notice their cards are compromised until months after the fake charges start.

    • The perpetrators are known because the website hosting dump, as well as the uploader are Russian with strong ties to a pro-Russian political hacktivist group.

  3. One thing I dont see mentioned is that many home depots accept paypal as a form of payment. Depending on how those systems are linked could paypal be affected yet again?

    • PayPal seems to have two systems for physical purchasing. One is controlled by your phone (check-in), and one seems to be roughly your phone number + a pin of your choice for a specific vendor.

      The good thing about a PIN of your choice (instead of Credit Card MagStripe or EMV+PIN), is that you can change it at any time.

      So, if PayPal is “affected” at all, it’s affected *ONLY* for that Vendor (Home Depot), and only until you change your PIN (which doesn’t require you to wait for a new card, or a letter delivered via USPS).

      Someone could go into a physical Home Depot and buy Home Depot stuff — can you imagine a small, lightweight, but expensive object that you could buy in large quantities from Home Depot and then go somewhere and resell it for 80% of its value? — Without that, your crook is going to get caught (and doing this at Home Depot, this guy is going to be video recorded and will eventually be arrested).

      Given that PayPal has a fairly large security division, and proactively deals with things, I’d say given the choice of having made a purchase with Visa/MasterCard or PayPal at Home Depot which was affected, I’d definitely pick PayPal.

      — I’m pretty sure that the check-in version wouldn’t be impacted at all, since it’s basically the equivalent of PayPal sending payment confirmation to the vendor (push), instead of the vendor sending enough information to PayPal to ask for a transaction authorization (pull) — clearly in the former less account specific information is required to be sent over the wire (you send authenticated nonces) between the vendor and PayPal.

      * I haven’t shopped at Home Depot in a while, and I don’t have an active PayPal account, but this is actually a reason for me to investigate activating my PayPal account.

      http://www.newswire.ca/en/story/1216101/paypal-checks-in-at-point-of-sale-in-canada talks about doing in store purchases at Jimmy’s Coffee using the check-in version.

  4. Brian, do you have any idea if credit card information is compromised in any way when using a contactless payment methods such as Mastercard’s PayPass?

    • Card data can be stolen either by tampering with the receiver device or picking up the wireless data during the communication phase, using a custom receiver device.

      https://www.youtube.com/watch?v=9QjxwejBPHs

    • I’d love for someone to provide a useful technical overview of the handshake for EMV and Contactless (NFC) transactions.

      http://nakedsecurity.sophos.com/2013/10/31/contactless-payments-researcher-intercepts-card-data-from-a-metre-away/
      Indicates that you probably do online purchases at places that don’t require a CVC2, but I think you’re missing the encrypted PIN bit, and thus probably can’t make a complete track-2, which /probably/ means you can’t make a “card”.

      Wikipedia’s rather poor article claims that Contactless works the same way that EMV does.

      “EMV cards generally have identical [magnetic track 2] data encoded on the chip which is read as part of the normal EMV transaction process. If an EMV reader is compromised to the extent that the conversation between the card and the terminal is intercepted, then the attacker may be able to recover both the track-two data and the PIN, allowing construction of a magnetic stripe card which, while not usable in a chip and PIN terminal, can be used, for example, in terminal devices which permit fallback to magstripe processing for foreign customers without chip cards, and defective cards.”

      So, depending on where the exploit is, at least, in theory an EMV reader could become an evil EMV reader and probably convince your EMV card to disclose its track 2 information such that the bad guy could produce a Magstripe card, the same way as if you had swiped your card. — There’s a metaphor here, it’s something about don’t dip your sensitive parts into shadowy areas. — It’s why you should never insert your debit card into any machine that is not an ATM owned and operated by *your* bank.

      Demonstration “2011: CVM downgrade allows arbitrary PIN harvest”.

      • I had my first emv experience at Wally World last (thurs 9/14) night. I self clerked my own transaction with a card swipe that was mounted at a 45 degree angle to the floor. I was instantly alerted to a popup on the view screen telling me to pull the card from the slide and stick it into a – for the consumer- invisible slot below the lower edge of the reader. You put the card in, it is held, the reader begins crunching the diamond on the left side of the card. Meanwhile, one is told not to touch the card until the screen says one can. When that eventually happens, you’re asked to run the card again through the traditional scan, after which a traditional receipt for your purchase, rolls out of the machine. These appear to be old readers. The Wal Mart I visit must have had these readers for some time. I asked a helpful clerk how long the readers at the Wal Mart have been challenging the cards with diamonds to the left of center of the card. She said her first awareness came in the first days of August. That’s when I GOT my new card, but I didn’t start using it until forced to on September 16th. I didn’t originally know the new cards HAD TO BE USED. I thought I’d been included in another Chase-Morgan marketing campaign, so I just put the new card, still glued to the paperwork aside with a load of others I receive periodically. Then I started getting followup letters telling me I had to move to the new card by September 16th. I didn’t use it until then and only after the old card was rejected. The next morning I called the business #s of the corporations that draft monthly from my card, and get that straightened out. I noticed a large convenience store in the vicinity is changing its card swipers out slowly in the area, but so far, they don’t work any differently than before. I’m thinking the Wal-Mart scanners are an interim scanner intended for use if problems surfaced and the new convenience store scanners are there because a mass switch to emv cards in the US, is imminent and partially underway.

  5. Now what how do we protect ourselves?
    What can we do now ?

    • Look for a better way that provides real security in all commerce avenues (card-present, electronic, mobile etc.), breaks the traditional inverse relationship between ease-of-use and security so it is easy to use, is much less expensive than EMV (Target alone budgeted $100M for implementation), does not introduce a 4th party (another potential exposure) and, as a lagniappe, provides additional functionality.

      There is at least one for provider level adoption.

  6. Jeff, Support for emended Windows XP continues.

  7. Our local news affiliate ran your website on the 10 PM news last night and read from your page almost word for word..

    Hope they are paying you..

  8. It is time they take bitcoins already, they never learn.

  9. Where is the PCI consortium who have dragged there feet on Chip and pin or other newer technolgy that is newer than Mag stripe 1970’s technology. I guess credit card shareholders know what is best for american public. Does not seem to be working so welll, IS IT????

  10. The last place I used my credit card was Home Depot. Yesterday, the charges to my card started rolling in, from stores across the country, for all kinds of merchandise.

  11. “Hollywood was merely a specialized bank — a consortium of large financial entities that hired talent, almost always for a flat rate, ordered that talent to create a product, and then marketed that product to death, all over the world, in every conceivable medium. The goal was to find products that would keep on making money forever, long after the talent had been paid off and sent packing. Casablanca, for example, was still putting asses in seats decades after Bogart had been paid off and smoked himself into an early grave.”

    Chapter 6, “The Spawn of Onan”

    Now you can’t buy a load of lumber without being turned into a crime victim!

  12. Home depot stores credit card and debit card info longer than required to settle the charges. If you use your debit card or credit card, it asks you if you want your receipt e-mailed to you, so they also have your e-mail associated with your credit card. And probably your phone and address as well if you ever made a return. EMV does not protect you if the merchants are idiots and put their “owning the customer” ahead of serving the security needs of the customer.

    I assume the hackers probably have it all.

  13. So I got a chip card 4 months ago, I keep asking Home Depot cashiers if I can insert my new chip card into the card reader the answer is no. Same answer at PetSmart, Ralphs, Albetrtsons, they all got newer card readers but must not have the headquarters software in place to process the chip card transactions… This should be another big incentive for merchants to get a move on and for consumers to request chip cards from their banks and start asking/demanding/emailing every major store to find out when they can use their chip card to have more secure transactions.

    • Banks just don’t have enough losses yet to demand this, but I believe the solution is to have two rates. One rate for old mag strip purchases (higher) and another for chip and pin (standard rate). This would put the cost burden on vendor who won’t update their POS equipment, or keep things status quo for those that put in chip and pin. When suddenly you’re paying say twice as much in CC transaction fees, suddenly new POS equipment isn’t such a pain.

      Vendors are allowed not to pass on CC fees to customers, but they could always jack the prices, offer a “discount” for chip and pin (and cash). That’s how gas stations list a CC vs. cash price – the cash price is a “discount” and the CC price isn’t a “fee.”

  14. Thank you for not devoting time to the celebrity photo leak. Tired of news agencies letting a few individual breaches over shadow a real security breach.

  15. I’ve used both of my Chase debit cards (personal & business) numerous times in the past 2 weeks at HD. The amoral cybercriminals are fast at work distributing stolen data, even as I write, and I’ll be just as fast to cancel my cards and get new ones, not going to wait for news to come out later.

    • Home depot biz will tank, people will shop Ace or Lowes. This is infuriating and shows incompetency for a lg corp. If people have to buy there, use cash ditto Target, Albertsons, other breached stores. They can never be trusted again with your debit/credit cards. Law suits will be their downfall perhaps. They have angered many.

  16. This isn’t related to the iPhone 6’s contactless payment and recently breached accounts then?

  17. So I went on Home Depot’s main website and couldn’t find anything mentioning about offering credit card monitoring. Even tried HD’s search bar and nothing. Luckily I saw the HD link on Kreb’s website discussing it. I called Home Depot customer service and got the run around by the CSR telling me: “we don’t know when or if we will offer free credit card monitoring and continue to check your credit card statements until a breach has been confirmed”. I asked when will it be confirmed and the CSR said “we’re not sure yet”. Seriously?

    • Give HD points for honesty. I firmly believe one reason Target continues to be stung from their breach was that they were vomiting information all over the place. We know PINs were not stolen. Sorry, PINs were stolen. But nothing more. Oh, wait. Our customer contact base was breached. Sorry. And on and on. I would rather see HD have the details correct before they start making announcements.

      • Curious Individual

        Honesty? They haven’t even officially admitted that a breach occured! Look at the website they refer to it as “unusual activity…”

      • plaintext PINs were not stolen nor recovered by attackers in the Target breach. The encrypted PIN block may have been captured, but that’s designed to not be broken (i.e., capture it all you want, nothing there), and it wasn’t.

        • I never said plain text PINs were not stolen; Target announced PINs had not been stolen and then had to walk that back. My comment is we are all better served by Home Depot getting as many facts as they can before going public with details. Target did not take that approach. They made statements they could not support and later had to change, all because they did not have the details to support those statements.

        • I never said plaintext PINs were not breached at Target, only that they announced PINs were not accessed and then had to walk that back. Having the facts correct before making statements would have been the better move.

  18. This is how life is going to be from now on, I suppose. I work with the World’s leading risk consulting firm, Kroll Advisory Solutions. They will completely restore your identity if it’s ever stolen by hiring their very own licensed investigators to work on your behalf. They handled the Target breach, they train the TSA at the airports, they even do background checks on the FBI & CIA, and they found Saddam Hussein’s assets after he was captured. We don’t mess around. Check out my website or give me a call, I really can help give you all peace of mind.

  19. Home Depot also operates in Canada (possibly elsewhere, for all I know). Is there any news about whether Canadian stores’ data is also in the mix?

  20. The solution is the EMV Migration where the EMV CHIP need to be used with a PIN, not with signature. The devices, the network that transmits the transaction data as well as the hosts that keep card/personal information need to be EMV compliant and certified. That is to say all these media need to support “encryption”. Dynamic password authentication need to be applied. By doing so, you will be protected by the system and even if any transactional data is stolen it will be limited to that transaction only cause the next use of teh CHIP and PIN will require new keys for the authentication / encryption.

    • You should read the other comments before you post. An EMV chip with PIN can be compromised. EMV certification solves nothing.

  21. I need more information whether the stolen info only coming from the Home Depot’s credit cards where people apply the cc at Home Depot store. Or is all stolen info coming from all customers regardless type of credit card they own? Which one?

  22. I understand that an anti-RFI sleeve can prevent a normal low-powered POS terminal from reading a card. But can it thwart the high-powered readers that criminals can use to read the card from a greater distance?

  23. I noticed that Home Depot started using new credit card POS terminals about the time that this breach started. Is it possible this breach is related to the new equipment? I shop there very frequently…

    • I have it on very very good authority that the breach was not related to any inherent flaw in the new PIN pads.

  24. It’s so EASY to prevent credit card fraud. So the key here is, YOU NEED SECURITY, YOU NEED DUAL AUTHENTICATION TO A PERSONAL, PRIVATE, DEVICE THAT ONLY YOU THE OWNER WOULD HAVE ACCESS TO AND A PIN ON THE CREDIT CARD ITSELF BEFORE IT CAN BE SWIPED.

    The problem is, the companies don’t seem to care to improve the system. I’ve talked with Discover and Chase already about ways they can prevent 99% of all credit card fraud but they just don’t care to make a business decision to do it. First of all, stop giving out plastic credit cards with basic magnetic strips.

    STEP 1 – Require the card have a pin code built into the card itself so before the card can be swiped, it has to be unlocked basically or no data is transferred to the credit card machine. Account info on the card should be encrypted and stop putting raised lettering on the credit card! The Pin should be a 6 digit alphanumeric pin. You can have just A,B,C,D and then 0-9 numbers. That gives over 7.5 million possible code combinations which is very secure.

    STEP 2 – Add secondary authentication websites that can be used for on the spot approval or pre-shopping approval. What would happen is after you enter your pin and swipe the card, it would call your phone, send you a text, etc. and require that you APPROVE the transaction. Duo Security is a service designed great for this style of dual authentication. It sends it to a personal device that only YOU have in your possession to ALLOW or DENY the transaction. If you know you are going to the mall or a specific store, you could choose from a list of stores on your mobile phone “Walmart, Amazon, JCPenny, Kohls, etc” and bypass the dual authentication for a specified time period to speed up the shopping experience. But again, when you login to say Chase Bank, you have to use dual authentication to get in to make the changes. So in short, need better security that utilizes dual authentication, on device encryption and consumer reporting.

    STEP 3 – Provide notification alerts when your card is being used. Send email receipts for everything. Home Depot purchased – $235.43 @ 2:33pm, Location: Chicago. For instance. And put a button in the email or notification that lets you immediately notify of fraudulent activity.

    • Perfect suggestions Joey! Make sense and adds a lot of value which avoids hassles and uncertainity after a major loss

      especially step3

      “put a button in the email or notification that lets you immediately notify of fraudulent activity.”

  25. Just a head’s up. HD’s credit card itself is only good at HD. You can’t get cash back from it and you can’t use it anywhere else. The first thing everyone needs to do if they pay their HD card online is to go into their HD account and make sure there are no “Saved” payment methods. If there are “Saved” payment methods…. delete them immediately. I used my debit/credit card from my bank to pay my HD payment every month and yes, my card was just hacked yesterday, September 4th. All purchases were done as credit with no signature required and all but one were done at Pathmark and Giant Food Markets. I had that same card with that same set of numbers for over ten years and never had any problems. Thank God my bank caught it, but not before they skimmed $500 from my bank account with 10 different purchases, at ten different locations. And yes, my bank did make it right, but it is certainly a huge inconvenience.

  26. If you have evidence that the stolen credit card information is being sold on rescator[dot]cc, then why is that site still operating?!? Have you brought your evidence to CloudFlare to see if they would take the site down???

  27. The bunk must pay insursnce, and is required by law to cover unautharized transactions with $50 dedactible to the customer. So in case of the breach like that the losses will be covered by FEDs who will simply reprint the money and dump it into, already huge inflation…
    Who ever is stilling the cards us taking advantage of over regulated, broken system. If banks were not forced to pay the insurance they would have to find a way to protect their assets.

  28. This is nothing new. My bank account was debited over $1600.00 last year for
    two gift cards at Home Depot stores in Seguin, Texas and Katy,Texas. My bank credited my account, but Home Depot could not have cared less. One of the managers at the Katy, TX store was even upset that a Home Depot Resolution Expeditor gave me his name to contact. They didn’t care when it happened to me on October 10 and 11 last year! Their “Resolution Expeditor” could get no response for nearly one month. I still have his emails. I sent three letters to their corporate office and received NO reply. Expect Home Depot to remain silent.

  29. This site (ssllabs.com) verifies and rates the SSL security risks of a website. Used in over 85 countries and 40 of the top Fortune global 100 companies.

    HOME DEPOT received an “F” rating for the security of their payment systems before home depot demanded they disable the rating for the site. HAHAHA..

    Even the most basic site security can receive a “C” rating.

    LOL, if you go to the site and try to enter https://secure2.HomeDepot.com for review, the site states verbatim:

    “This site’s owners requested that we do not publish their assessment results.”

    WOW, the CEO of HOME DEPOT also announced months ago that he will be stepping down.

    I wonder how long they knew about this breach! HOME DEPOT is trying to cover their arse.

    They will drag this out as long as possible and provide the public with the bear minimum information just to save their stock price… BOYCOTT HOME DEPOT and prosecute the CEO for Negligence.

    • Keep this to yourself but here’s more stuff they want to hide:

      # robots.txt for http://www.homedepot.com/
      User-agent: *
      Disallow: /*SiteMapView*
      Disallow: /*Navigation?Ns=P_Topseller_Sort|style=List*
      Disallow: /*Navigation?Ns=P_Topseller_Sort|style=A*
      Disallow: /*AOLPartsServicesView*
      Disallow: /*CheckoutSignIn*
      Disallow: /*OrderItemUpdate*
      Disallow: /*THDLogon*
      Disallow: /*ShippingInfo*
      Disallow: /*THDShippingInfo*
      Disallow: /*OrderCalculate*
      Disallow: /*AOLOrderItemUpdate*
      Disallow: /*OrderPrepare*
      Disallow: /*OrderDisplay*
      Disallow: /*OrderProcess*
      Disallow: /*OrderOkView*
      Disallow: /*ShippingMethod*
      Disallow: /*AOLPartsServicesDelete*
      Disallow: /*OrderItemDisplayViewShiptoAssoc*
      Disallow: /*DeliveryCalendar*
      Disallow: /*AOLScheduleDelivery*
      Disallow: /*OrderItemAdd*
      Disallow: /*CheckSOSIOrderStatusView*
      Disallow: /*GiftCardProductDisplay*
      Disallow: /*GiftRegistryAuthenticateCmd*
      Disallow: /*LogonForm*
      Disallow: /*ManagePrivacyPrefFormEXPO*
      Disallow: /*OrderStatusDisplay*
      Disallow: /*ReLogonFormView*
      Disallow: /*ResetPassword*
      Disallow: /*ResetPasswordForm*
      Disallow: /*THDGiftRegistryItemDisplayView*
      Disallow: /*THDInterestItemVerify*
      Disallow: /*THDSendUsAnEmail*
      Disallow: /*UserRegistrationForm*
      Disallow: /*THDProductCompare*
      Disallow: /p/compare/
      Disallow: /*THDCoordinatingItemsView*
      Disallow: /*QuickViewService*
      Disallow: /*THDEmailProductDetailsView*
      Disallow: /*MoreViewsPage*
      Disallow: /*Bopis2OverLay*
      Disallow: /*MobileAOLESPLearnMore*
      Disallow: /*THDMobileBossOverlay*
      Disallow: /*THDMobileBopisOverLay*
      Disallow: /*MobilePickUpOptionsView*
      Disallow: /*MobileUserAccountView*
      Disallow: /*THDMobileOrderStatusDetailDisplay*
      Disallow: /*THDMobileInterestItemDisplay*
      Disallow: /*MobileSendWishListMsg*
      Disallow: /*MobileUserRegistrationUpdateForm*
      Disallow: /*MobileUserRegistrationAdd*
      Disallow: /*MobileOrderItemDisplay*
      Disallow: /*MobileOrderItemDelete*
      Disallow: /*Search?*
      Disallow: /*NCNI-5*
      Disallow: /*recordCompareList*
      Disallow: /*PLP_Overlay*
      Disallow: /*Ntt-*
      Disallow: /*Ntk-*
      Disallow: /*DiscountDetailsDisplayView*
      Disallow: /*HREF_WCS_NONSECURE*
      Disallow: /*ExternalDirectView*
      Disallow: /*AjaxNavigation*
      Disallow: /*Fragments/
      Disallow: /s/
      Disallow: /p/qv/
      Sitemap: http://www.homedepot.com/sitemap/sitemap_index.xml
      Sitemap: http://www.homedepot.com/sitemap/p/sitemap_index.xml
      Sitemap: http://www.homedepot.com/mobilesitemap/mobilesitemap_index.xml
      Sitemap: http://www.homedepot.com/mobilesitemap/p/sitemap_index.xml

      AOL? Really?

  30. HOME DEPOT BREACH has been reported as resulting in more than 100 million plus stolen credit card numbers !!!!!!

    This will amount to the BIGGEST retail credit card breach EVER!