Home Depot says 53 million emails stolen

An investigation of what may be the world's largest credit card breach reveals hackers didn't just grab 56 million credit card numbers -- they stole tens of millions of email addresses, too.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Hackers installed custom malicious software on the retailer's self-checkout machines. Home Depot

Along with stealing 56 million credit cards from Home Depot, hackers also got their hands on more than 53 million email addresses, the world's largest home-improvement chain said Thursday.

Home Depot said it discovered the email thefts after a joint investigation with law enforcement and independent security analysts delved into what may be the world's largest credit card breach.

Hackers entered Home Depot's network using credentials stolen from a third-party vendor, the company said in a press release. That access allowed hackers to work their way through Home Depot's network to its self-checkout machines in the US and Canada, where they inserted malicious software to steal customers' card numbers. Home Depot had confirmed that data breach in September.

A third-party vendor was also the point of entry in last year's breach at Target, which exposed some 40 million cards.

While no "passwords, payment card information or other sensitive personal information" was held in the files holding customer email addresses, Home Depot warned customers to be on guard against phishing scams -- phony emails that try to trick people into revealing personal information.

The malicious software, active on Home Depot's network between April and September of this year, has been removed, the company said. It has also improved the encryption -- which scrambles information to make it unreadable to hackers -- in its credit card payment systems.

The company has notified owners of the affected email addresses.

Home Depot said it doesn't expect further updates on the breach. A request for comment was not immediately returned.

The breach is one in a long string of high-profile hacks against major US retail and restaurant chains. Last year, hackers behind the Target attack stole around 40 million credit card numbers and the personal information of another 70 million people. Arts and crafts retail chain Michaels Stores, department store Neiman Marcus and the P.F. Chang's restaurant chain all announced this year they had been hacked, too, with credit card information the goal of the attacks.

The credit card data breaches of 2014

See all photos