Home Depot may be the latest addition to the list of companies that suffered a security breach after hackers broke into their customer-information database.
Security blogger Brian Krebs reported the news on Tuesday morning. A Home Depot spokesperson, reading from a prepared statement, told him:
“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely, seriously and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has a occurred, we will make sure customers are notified immediately. Right now, for security reasons it would be inappropriate for us to speculate further but we will provide further information as soon as possible.”
Krebs' sources say that on Sept. 2, multiple banks noticed a new pile of stolen debit and credit card accounts offered for sale in the cybercrime underground that morning, account information apparently stolen from Home Depot's database.
Though no detailed information is currently available to explain just how this was discovered, presumably it's because the various banks noticed that all of the stolen credit- or debit-card numbers from the most recent batch had one thing in common: they'd all been used to buy something from Home Depot.
Connected to others
Based on the currently available evidence, the Home Depot hackers appear to be Russian or Ukrainian, and connected with other recent hackings at P.F. Chang's, Sally Beauty Supply, and Target:
In what can only be interpreted as intended retribution for U.S. and European sanctions against Russia for its aggressive actions in Ukraine, this crime shop has named its newest batch of cards “American Sanctions.” Stolen cards issued by European banks that were used in compromised US store locations are being sold under a new batch of cards labled “European Sanctions.”
(Actually, even if these hackers do indeed prove to be from or sympathetic to Russia, there is one other possible interpretation for their actions: They're greedy thieves who intended this for their own gain anyway, but decided to claim patriotic, love-of-country motivations because – hey, why not?)
According to Krebs, there's no information yet confirming how limited or widespread the breach is, but early reports indicate all 2,200 Home Depot locations in the United States were affected. At 1:50 on Monday afternoon (Eastern time), Krebs updated his initial report to say:
Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.
If you have made a credit- or debit-card Home Depot purchase at any time since last April, contact your bank or card issuer at once, and take all necessary identity-theft precautions.