It keeps getting worse. Two months ago, Home Depot revealed that hackers had stolen 56 million credit- and debit-card numbers. And now, the company says the thieves also made off with at least 53 million customer email addresses.
It's been over two months now since the initial discovery that hackers had somehow managed to lift massive amounts of confidential customer data from Home Depot. Though Home Depot only announced it in mid-September, the hackers had actually been lifting data for several months by then (although it turned out nobody actually “hacked” into Home Depot's database; instead, somebody somehow managed to plant malware onto the checkout systems in various Home Depot stores).
So far as anyone knows, that malware has since been scrubbed from all Home Depot systems, and the months-long hacking is finally “over” — yet the full extent of the damage probably still isn't known.
Not until late September did the financial consequences of the breach start making themselves felt, as banks and credit unions across the U.S. and Canada starting receiving large numbers of fraudulent charges related to the breach. As of late October, American credit unions report combined losses of at least $60 million to replace all compromised cards, cover fraudulent charges or withdrawals and pay additional staff to oversee the whole mess.
Another shoe drops
And now the next installment. Late last night, Home Depot disclosed new information about the months-old hack: in addition to raw credit- and debit-card numbers, the thieves managed to steal at least 53 million customer email addresses.
The hacking shares many details in common with earlier mass hackings, especially the notorious Target hack from 2013: same type of malware used in both cases, and also, in both cases, the hackers managed to breach the stores' security by attacking a third-party vendor – in Target's case, an HVAC repairman; for Home Depot, a still-unidentified third-party vendor whose user name and password were presumably stolen sometime in April, just before the hackers first used those credentials to log on to Home Depot's network and start stealing data.
Home Depot is still offering free identity-theft protection services for any customer who used a payment card in any store since early April.
If you are such a customer, you have hopefully taken advantage of this free service already; this can help protect your financial data, but unfortunately won't do much to keep hackers from sending spam to your stolen email address.