Home Depot announced on Thursday that hackers “used a third-party vendor’s username and password” to breach the perimeter of its network and that 53 million email addresses also were stolen during the massive data breach reported in September.
In a news release, Home Depot said: “These stolen credentials alone did not provide direct access to the company’s point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.”
“In addition to the previously disclosed payment card data, separate files containing approximately 53 million email addresses were also taken during the breach,” Home Depot noted. “These files did not contain passwords, payment card information or other sensitive personal information. The company is notifying affected customers in the U.S. and Canada. Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.”
In September, Home Depot announced that the breach enabled criminals to access information from 56 million credit and debit cards in the United States and Canada.
The latest revelations, announced Thursday, arose from Home Depot’s investigation of the breach.
“We apologize for the frustration and anxiety this causes our customers and we thank you for your patience and support as we work through this issue,“ the company told customers.
Home Depot also noted in its release that it has implemented enhanced encryption and EMV chip-and-pin technology.