Customers nervous over Home Depot’s announcement Thursday that about 53 million email addresses were stolen during the company’s massive data breach, revealed earlier this year, should be on guard, but they shouldn't panic. Home Depot stressed that hackers haven’t taken control of accounts associated with the email addresses, though the company did warn that customers whose information was included should be wary of any suspicious emails containing malicious software.
“In addition to the previously disclosed payment card data separate files containing approximately 53 million email addresses were also taken during the breach,” Home Depot said in a statement Friday. “These files did not contain passwords, payment card information or other sensitive personal information. … Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony emails.”
While it’s always better for customers to change their passwords, the exposure of such a large number of emails alone is not concerning. Hackers who breached Target point-of-sale terminals, Chase bank and dozens of other corporations have stolen millions of email addresses, with little to no fraud reported in the wake of even the most high-profile infiltrations.
What should be more concerning is the sheer ease the hackers seemed to have in the process of breaking into Home Depot’s networks. Thursday’s update also explained that the cybercriminals were able to access a third-party vendor’s user name and password to obtain access to the perimeter of Home Depot’s network. From there, they were able to design and install custom-built malware on self-checkout registers at Home Depot locations throughout the U.S. and Canada.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to remind them they will not be liable for fraudulent charges,” Home Depot CEO Frank Blake said previously. “From the time this investigation began, our guiding principle has been to put customers first, and we will continue to do so.”
Home Depot was heavily criticized at the time of the hack for failing to admit it had been hacked until days after news outlets were reporting on the subversion.