Hackers Ravaged Home Depot With a Password Stolen from a Vendor

Illustration for article titled Hackers Ravaged Home Depot With a Password Stolen from a Vendor

Earlier this year Home Depot confirmed that 56 million cards had been compromised in one of the biggest retail security breaches in history. Now we know that much like the Target hack—which was traced to a heating company—Home Depot was infiltrated by custom malware and passwords stolen from a third party vendor.

Advertisement

An article in the Wall Street Journal has lots of new information about the hack, including the fact that the attackers made entry by stealing a vendor's username and password to get into Home Depot's payment system. In addition, we now know 53 million email addresses were stolen. Before all we knew was that 56 million had been exposed.

The weak point was a Windows vulnerability that allowed hackers to access the Home Depot system through a vendor's connection and start collecting proprietary sales information. Turns out Home Depot's system was a little too exposed to vendors who didn't have as much security as maybe they should have.

Advertisement

Microsoft did issue a fix for the bug in Windows, but it came too late; by then the hackers were already able to move freely through the system. The attack focused specifically on the self-service checkout systems, about 7,500 of which are found in stores nationwide. For about five months the hackers collected data undetected, mostly because the malware was written to erase itself without a trace.

Basically, if you shopped at Home Depot earlier this year, be wary of your credit card charges as you begin your holiday shopping. [WSJ]

Share This Story

Get our newsletter

DISCUSSION

uncleccclaudius
UncleCCClaudius

I had Vendor access to HD's systems for most of the beginning of this year. The password never changed and apparently had been in use for years. Lucky me, I used one of my cards practically very time I was in a store and it was compromised in the breach.

Contrast this with Lowe's where I needed a new password to access the Vendor functions every time I went in.