Home Depot released the details of the email theft as it continues its investigation into the source and breadth of the data breach, which has already cost credit unions nearly $60 million.
The final cost of the breach will certainly exceed that amount.
Home Depot said that the criminal used a third-party vendor's user name and password to “enter the perimeter” of Home Depot's network. The hackers then used that access to acquire “elevated rights” that allowed them to navigate portions of Home Depot's network and to deploy “unique, custom-built malware” on Home Depot’s self-checkout systems in the U.S. and Canada.
In addition to the previously disclosed theft of the payment card data, Home Depot said Thursday that files containing approximately 53 million email addresses were also stolen, but advised that the files did not contain passwords, payment card information or sensitive personal information.
“The company is notifying affected customers in the U.S. and Canada,” Home Depot said. “Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.”
Home Depot again said that the malware used in the attack had not been seen in any prior attacks and was designed specifically to evade detection by antivirus software. The company also said that the hackers’ “method of entry” has been closed off and the malware has been eliminated from the company’s systems.
“The Home Depot's investigation, cooperation with law enforcement and efforts to further enhance its security measures are ongoing,” Home Depot said. “The company does not anticipate further updates on the breach outside of its quarterly financial disclosures.”