Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Home Depot Says Hackers Grabbed 53 Million Email Addresses 99

wiredmikey writes Home Depot said on Thursday that hackers managed to access 53 million customer email addresses during the massive breach that was disclosed in September when the retail giant announced that 56 million customer payment cards were compromised in a cyber attack. The files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information, the company said. The company also said that the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
This discussion has been archived. No new comments can be posted.

Home Depot Says Hackers Grabbed 53 Million Email Addresses

Comments Filter:
  • consistently reinforce their legacy retailing status.
  • by hamjudo ( 64140 ) on Thursday November 06, 2014 @07:52PM (#48330589) Homepage Journal
    TFA says that Home Depot expects to pay "$62 million this year to recover from the incident", referring to exposing the details on 56 million credit cards. That's only $1.11 per exposed card. I used a credit card there during the period, so my Credit Union sent me a new card, plus two other physical letters about the incident. That had to cost them more than $1.11 per affected customer.
    • Did your credit union send the letters, or did Home Depot?

      Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.

      • Did your credit union send the letters, or did Home Depot?

        Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.

        For a corporation with $78 Billion in revenue, $62 million is like you paying the paperboy his Christmas bonus.

      • There are however these thingamajigs called stamps that are required when sending a physical letter to someone.
        • Yeah, I included them in my calculations
        • And there's also a thing called "metered postage" which is far cheaper than using stamps if you send out the kind of mail volume that a bank does.

          • by cdrudge ( 68377 )

            The cheapest first class metered mail for pre-sorted by 5 digit zip code is about $.38/letter. It's cheaper, but I wouldn't say "far cheaper". Standard class bulk mail (aka junk mail) goes cheaper, but can't be used for personalized correspondence, sending out replacement credit cards, etc.

      • by cdrudge ( 68377 )

        My credit union sent me two snail-mail letters as well as two emails telling me my card likely was included in the breach. They then sent me, via Visa, a new card. Even after I had already activated it, they sent me two follow up letters, one to say that I should have already received my card and that even if I hadn't, my old card would be deactivated on a date, and then on that date I received a letter saying it was deactivated.

        If I'm reading USPS.com right, the cheapest first class letter rate is for an 5

        • So your original point was the expense to your credit union, and not Home Depot? I thought you were saying Home Depot was paying for all that.
          • by cdrudge ( 68377 )

            I wasn't the one that make the original post, but yes, it's an expense to my credit union (and everyone else's credit union or bank) for something that they won't be reimbursed by Home Depot. The cost for Home Depot was what it cost them to investigate the breach, fix it, replace terminals, etc, as well as damage control, credit monitoring for the victims, etc.

      • No, Home Depot is externalizing that cost. If they had to pay to reissue each card lost, plus some money to cover the customer's extra trouble while changing card numbers, they'd be paying more than $62M.

    • Stolen credit card numbers are easily fixed. The thieves have stolen information which can be used for identity theft which is much much harder to fix.

  • I do remember the face of a nice cashier lady in a rural Home Depot — she asked me to "sign up for free" and I refused. It genuinely offended her, though she remained professionally nice... Maybe, now she understands.

    And when you have to — or, despite the risks, want to — register with some company, always use an address like yourid+companyname-year@example.com. The nifty feature supported by most mail-servers will still deliver the message into your mbox, but you'll be able to block a particular address, when it gets stolen (or when the party you gave it to in the first place turns to spamming).

    GMail supports the feature, Yahoo! Mail might too.

    (Of course, owners of their own domains have the infinite supply of even nicer-looking addresses.)

    • by ls671 ( 1122017 )

      I just say I don't have an email address. I do use throw away email addresses when really needed to register to on line sites. Even my bank doesn't have my email address.

      Profession: IT consultant
      Your email: I don't have one!

      Hehe...

      • by mi ( 197448 )

        This may be good enough for companies, that force registration needlessly. But there are other cases. Say, you buy something online — and want to get order confirmation and tracking number by e-mail? Or want your transit (bus or train) to warn you, they have a problem before you leave the house...

        There are plenty of legitimate reasons to give your address to other people and companies alike and using "throw-away" addresses is not a good way to keep in touch. My way all of the message still arrive to

        • by ls671 ( 1122017 )

          It depends how fast you throw them away. My slashdot throw away address has been valid for 10 years at least. Still, I can throw it away without impacting anything else if I want and yes all addresses end up in the same inbox and I can edit the sender in my email client to enter anything I want.

          Despite all that, I rarely provide an email address and surely not to home depot.

          • by mi ( 197448 )

            and yes all addresses end up in the same inbox

            Well, then you do have the same system I proposed only you have to go through the trouble of creating those throw-away accounts before you can use them.

            By using the scheme I outlined (or your own domain) you don't need to pre-make the accounts — you+FOO@gmail.com (and/or FOO@yourdomain.com) already exists for an infinite (well, very large) variety of FOOs.

            • The thing is your method fails the modification test. heck excel or open office can easily parson the +XXX out of your email address quickly. Heck if you are smart you modify it before storing it.

              His method is fool proof. personally I have an old juno.com account that I have to reactivate as it goes dormant every 6 months. when i need it reactivation takes seconds. and then once setup I ignore it.

          • It depends how fast you throw them away. My slashdot throw away address has been valid for 10 years at least. Still, I can throw it away without impacting anything else if I want and yes all addresses end up in the same inbox and I can edit the sender in my email client to enter anything I want.

            You are going to love this:
            https://www.absorb.it/virtual-... [absorb.it]

            Virtual Identity is a Thunderbird addon that automatically puts the right "sender" address when you send an email. It is the reason that I'm married to Tbird.

    • That's one of the reasons that I find mailnull.com to be indispensable. It allows you to create throwaway email addys at a moments notice and if you include the name of the site in the newly created email, you can easily delete the email and never visit their site again. Mailnull's spam filters are superb, as well. Can't ask anything more from a free service.
    • by antdude ( 79039 )

      Where do you set that up on Gmail? I never knew that!

      • You don't have to set anything up - just use the address tag when you supply an email address. It's still a valid email address (see link below), so will still get delivered to your inbox. The extra information in the tag/extension makes the address unique (if you made the tag info unique), so can be used to filter messages, sort them to subfolders etc. depending on what your mail provider supports. Different providers support different separators, Gmail happens to be one that supports the plus.

        https://e [wikipedia.org]

    • OK, and what is stopping someone from cropping out the tags?
    • by Quirkz ( 1206400 )

      always use an address like yourid+companyname-year@example.com.

      You don't think spammers can learn to strip out the characters between the + and the @ ? If I was a spammer, I'd do that automatically. Hell, I'd probably keep the original, but also create the stripped version, and then spam them both.

      • always use an address like yourid+companyname-year@example.com.

        You don't think spammers can learn to strip out the characters between the + and the @ ? If I was a spammer, I'd do that automatically. Hell, I'd probably keep the original, but also create the stripped version, and then spam them both.

        I have my own domain, and my personal email goes to a traditional firstname.lastname@domain.tld, but when I sign up for anything, I'd prefer to use a unique address, so I have a prefix for such things, let's call it "xyz" and then +supplier-name, so xyz+amazon@domain.tld. When I sign up for something, I add a white-list entry for that address. Anything not white-listed (e.g. xyz-foobar) goes straight to spam.

        I *do* forget to add white-list entries sometimes, but that's fine because I do check and manually

    • Meh.

      I could easily do this, and I used to, but I decided I just don't care. I don't even worry about posting my e-mail address all over the Intenet. What does it cost me? More stuff for my spam folder, but GMail catches all of it, or so close to all of it as makes no difference. I have a message or two per week which slips past the filter, so I just click the "spam" icon and go on with life.

      As for Home Depot, I really like the e-mailed receipts. I wish all stores offered that option; I'd give all of th

    • I never knew this, that pretty awesome! I did a test on this with a couple of my email accounts, my Hotmail account supports this, unfortunately my personal domain (hosted on HostGator) does not support either the + or - method. Bummer.

      Anyone know why only the big email providers like Gmail/Hotmail/etc. support this, but a HostGator does not? Would be nice. Granted, on my personal domain, I can create all the email addresses I want, but would be nice to get this feature.
    • by cyn1c77 ( 928549 )

      always use an address like yourid+companyname-year@example.com

      That is an awesome tip!

      Thanks!

    • It's staggering just how many websites don't allow plus-addresses. In the UK alone, I have these on my plus-address shit-list:
      • carphonewarehouse.com
      • ebuyer.com
      • novatech.co.uk
      • whsmith.co.uk
      • racbenefits.co.uk
      • parking-quote.co.uk (APH Airport parking)

      And a load of smaller sites that I can make exceptions for 'cos they're small businesses and all... but that said, their web-devs are still crap.

      I keep meaning to build a plus-address name and shame website just to highlight the amount of derpy devs there are.

  • LOL (Score:5, Informative)

    by Lunix Nutcase ( 1092239 ) on Thursday November 06, 2014 @08:10PM (#48330701)

    And they're a member of CurrentC who wants your bank account info, driver's license and SSN numbers. Who in their right mind would give the MCX or its members companies such info?

    • Oddly enough, though, the Home Depot locations around here still have their NFC terminals working, so I've been able to use Apple Pay.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Exactly.

      Also, to give you an idea of how bad these companies are at security and modern computing: We have to deal with Home Depot for EDI at my workplace. Home Depot requires the use of a specific Internet Explorer version 9.xx and Java builds that are 2+ years old to access their online EDI system. We can't even update our own computers because they are still stuck in 2009.

      Don't give these people direct access to your bank accounts.

  • Should have hired me instead asshats!

  • by BoRegardless ( 721219 ) on Thursday November 06, 2014 @08:25PM (#48330795)

    Seems like one of the jobs of IT departments for the last 10 years should have been to have their own surveillance software to be watching for activities that indicate software changes, moving of data, and added code that should be detectable so they can verify what is happening to their systems in near real time.

    • by greenwow ( 3635575 ) on Thursday November 06, 2014 @08:53PM (#48330945)

      > moving of data,

      If FDR hadn't fought so hard in 1935 against adding a check digit, monitoring for SSNs over the network would be so much easier. Canadian SIN have check digits so a couple of times we were able to detect suspicious file transfers. Yes, the US did a great job getting 25 million SSNs issued within three months, but we're still paying for that decision.

  • Time to switch to CurrentC and hand over all my information to the people in the MCX. They're so responsible and knowledgable about information security and real world threats!
  • by WindBourne ( 631190 ) on Thursday November 06, 2014 @11:43PM (#48331675) Journal
    This will get you EVERYTIME.
    Yes, Home Depot offshored significant amounts of their admin. THis allows India to work on the computers in the middle of the night. However, like target, and the others, it enables ppl that have NO VESTED INTEREST in the company, or the nation, to have access to production.

    This will continue as long as companies continue to cheat.
    • by eWarz ( 610883 )
      good bye slashdot. I already barely visited this site since dice took it over as it was. However, waiting half an hour between posting comments is too much. I can get my tech news from other sources.
  • "the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada."

    What Operating System did this self-checkout system run on?
  • I have personally had problems with Home Depot's quality I shop at the local hardware stores instead
  • [sarcasm]Man, I can't wait to sign up for Current C and give them direct access to my bank account and all my personal information![/sarcasm]
  • Home Depot sent this email out to its customers:

    Dear Valued Customer,

    The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.

    In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.

    Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.

    Sincerely,

    The Home Depot

    I was struck by how the letter did not say anything about what HD has done to ensure that something like this will not happen again to them.

  • My personal email was under good control for blocking junk mail via my SpamAssassin filter and local junk box filters, up until around the time the breach was announced. Since then I have been receiving a dozen or so very well crafted spam emails, all text and all formatted in a similar fashion, containing a row or two of lines with a "reference number" "case number" or something along those lines.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...