More details have emerged in this period of the penetration and theft of data from Home Depot, the US retailer, as previously reported in the Monitor. The hack against the firm, which was first reported in early September, was already known to have resulted in the theft of 56 million consumer debit and credit card accounts. However it has now emerged that around 53 million email addresses were also compromised as a result of the action.
While Home Depot has stressed that the stolen account details do not include passwords, home details or other sensitive information, the email accounts are highly likely to be used for targeted phishing attempts – for example sending out malware in attachments. This is a common use for this sort of information, once made available on underground networks.
The incident therefore continues to demonstrate clear similarities with the earlier well-publicised attack on Target, which resulted in the compromise....
In a final parallel with the Target breach, the stolen card details showed up on rescator.cc – an underground site that acts as a clearing house for “carders”. This was also the site that first showed the stolen cards from Target, millions of which were passed on and exploited.
Taken all together, this demonstrates that the tactics used against Target remain valid, and the scale and scope of such attacks is justified by the pay-off. It is possible that the same carders are at work in this incident, given the similarities. Companies should therefore consider their exposure via third parties, and the exploitation effort shows the importance of patching vulnerabilities. Meanwhile consumers should remember not to give their primary email address to a commercial entity, and we suggest using a “spare” account for this sole purpose. In this case the emails seemed to have been harvested from people who chose to supply these in order to get e-receipts, an increasingly common trend due to the fading ink being used on printed versions. This therefore remains a potential vulnerability in the future.