As if the credit card breach at Home Depot didn’t already look enough like the Target breach: Home Depot said yesterday that the hackers who stole 56 million customer credit and debit card accounts also made off with 53 million customer email addresses.
In an update (PDF) released to its site on Thursday, Home Depot warned customers about the potential for thieves to use the email addresses in phishing attacks (think a Home Depot “survey” that offers a gift card for the first 10,000 people who open the booby-trapped attachment, for example). Home Depot stressed that the files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information.
Home Depot said the crooks initially broke in using credentials stolen from a third-party vendor. The company said thieves used the vendor’s user name and password to enter the perimeter of Home Depot’s network, but that these stolen credentials alone did not provide direct access to the company’s point-of-sale devices. For that, they had to turn to a vulnerability in Microsoft Windows that was patched only after the breach occurred, according to a story in Thursday’s Wall Street Journal.
Recall that the Target breach also started with a hacked vendor — a heating and air conditioning company in Pennsylvania that was relieved of remote-access credentials after someone inside the company opened a virus-laden email attachment. Target also came out in the days after the breach became public and revealed that the attackers had stolen more than 70 million customer email addresses.
Home Depot also confirmed that thieves targeted its self-checkout systems, a pattern first reported on this blog on Sept. 18. The Wall Street Journal reported that the intruders targeted the 7,500 self-checkout lanes at Home Depot because those terminals were clearly referenced by the company’s internal computer system as payment terminals, whereas another 70,000 regular registers were identified simply by a number.
News of the Home Depot breach broke on this blog on Sept. 2, after multiple banks confirmed that tens of thousands of their cards had just shown up for sale on the underground cybercrime shop rescator[dot]cc. That same carding shop was also the tip-off for the breach at Target, which came only after Rescator and his band of thieves pushed millions of cards stolen from Target shoppers onto the black market.