Home Depot hack gets worse; email addresses stolen, too

If you were wondering how The Home Depot was hacked, we've got the gritty details. The Atlanta-based home improvement store says they fell victim to the same vulnerability Target did: a third-party vendor. A vendor/partner of The Home Depot was hacked, and their password stolen. From there, hackers went after the bigger fish in Home Depot. Originally thought to have compromised roughly 56 million credit card numbers, it seems about 53 million email addresses were pinched as well.

In the Target case, Hackers gained electronic billing info from a third-party vendor. From there, they simply pushed their way into Target's system.

The Home Depot found the vulnerability after more than two months of scrutiny by their internal staff and security people, as well as Government oversight on the matter. The breach was made possible by an exploit in Windows which gave hackers deeper access to Home Depot's system.

Microsoft issued a fix for the vulnerability, and The Home Depot installed it, but it was too late.

Reference names in the system identified self-checkout point-of-sale terminals, which the hackers immediately targeted. There are roughly 7,500 self-checkout terminals in Home Depot stores nationwide.

How did these hackers go months without detection? A sophisticated system, that's how. They operated during normal business hours, and designed their malware to collect the data they wanted, then move it untraced.

Source: The Wall Street Journal