Home Depot Says Hackers Grabbed 53 Million Email Addresses 99
wiredmikey writes Home Depot said on Thursday that hackers managed to access 53 million customer email addresses during the massive breach that was disclosed in September when the retail giant announced that 56 million customer payment cards were compromised in a cyber attack. The files containing the stolen email addresses did not contain passwords, payment card information or other sensitive personal information, the company said. The company also said that the hackers acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
Re: (Score:3, Informative)
Glad that's over!
It's not over.
Which part of "Microsoft product" did Home Depot not understand?
According to an Oct. 1, 2013, report prepared for Home Depot by consultant FishNet Security, the retailer left its computers vulnerable by switching off Symantec’s Network Threat Protection (NTP) firewall in favor of one packaged with Windows.
http://www.businessweek.com/ar... [businessweek.com]
Re: (Score:3)
According to an Oct. 1, 2013, report prepared for Home Depot by consultant FishNet Security, the retailer left its computers vulnerable by switching off Symantecâ(TM)s Network Threat Protection (NTP) firewall in favor of one packaged with Windows.
No enterprise installation should ever be relying on individual client firewall software for network security. At best, that should be a second line of defense. It is the job of the perimeter firewall to handle these kind of threats.
Re: (Score:2)
And if they are already inside your network from an unsecured port on a wall somewhere, or through internal wireless?
Point-of-sale systems should be firewalled out the ass.
Home Derpot (Score:2)
Derp
brick and mortar stores (Score:2)
Re: (Score:1)
Its not easy, though, to buy plywood or 2x4 online.
Re: (Score:1)
Re: (Score:2)
Why yes, I do want free two day shipping with Amazon Prime!
Re: (Score:3)
Re: (Score:3)
You are aware the measurements of that wood are in inches right?
Re: (Score:3)
I'll just hire some little people to dance around it once I'm done.
Re: (Score:2)
Yeah, show me a 4 foot by 8 foot sheet of wallboard, or a 50-gallon water heater on Amazon.
Didn't think so.
Re: (Score:2)
The wallboard is indeed nowhere to found, but you can get the water heater: http://www.amazon.com/Rheem-PR... [amazon.com]
Home Depot is getting off cheap (Score:5, Interesting)
Re: (Score:2)
Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.
Home Cheapo (what my sister's always called it) (Score:2)
Did your credit union send the letters, or did Home Depot?
Home Depot isn't paying for your card, and a letter isn't that expensive when you are buying office supplies in bulk.
For a corporation with $78 Billion in revenue, $62 million is like you paying the paperboy his Christmas bonus.
Re:Home Cheapo (what my sister's always called it) (Score:5, Funny)
Paperboy?
Bonus?
Are these English words?
Re: Home Depot is getting off cheap (Score:2)
Re: Home Depot is getting off cheap (Score:1)
Re: (Score:2)
And there's also a thing called "metered postage" which is far cheaper than using stamps if you send out the kind of mail volume that a bank does.
Re: (Score:3)
The cheapest first class metered mail for pre-sorted by 5 digit zip code is about $.38/letter. It's cheaper, but I wouldn't say "far cheaper". Standard class bulk mail (aka junk mail) goes cheaper, but can't be used for personalized correspondence, sending out replacement credit cards, etc.
Re: (Score:2)
My credit union sent me two snail-mail letters as well as two emails telling me my card likely was included in the breach. They then sent me, via Visa, a new card. Even after I had already activated it, they sent me two follow up letters, one to say that I should have already received my card and that even if I hadn't, my old card would be deactivated on a date, and then on that date I received a letter saying it was deactivated.
If I'm reading USPS.com right, the cheapest first class letter rate is for an 5
Re: Home Depot is getting off cheap (Score:1)
Re: (Score:2)
I wasn't the one that make the original post, but yes, it's an expense to my credit union (and everyone else's credit union or bank) for something that they won't be reimbursed by Home Depot. The cost for Home Depot was what it cost them to investigate the breach, fix it, replace terminals, etc, as well as damage control, credit monitoring for the victims, etc.
Re: (Score:2)
No, Home Depot is externalizing that cost. If they had to pay to reissue each card lost, plus some money to cover the customer's extra trouble while changing card numbers, they'd be paying more than $62M.
Re: (Score:3)
Stolen credit card numbers are easily fixed. The thieves have stolen information which can be used for identity theft which is much much harder to fix.
I would never give Home Depot my address... (Score:5, Informative)
I do remember the face of a nice cashier lady in a rural Home Depot — she asked me to "sign up for free" and I refused. It genuinely offended her, though she remained professionally nice... Maybe, now she understands.
And when you have to — or, despite the risks, want to — register with some company, always use an address like yourid+companyname-year@example.com. The nifty feature supported by most mail-servers will still deliver the message into your mbox, but you'll be able to block a particular address, when it gets stolen (or when the party you gave it to in the first place turns to spamming).
GMail supports the feature, Yahoo! Mail might too.
(Of course, owners of their own domains have the infinite supply of even nicer-looking addresses.)
Re: (Score:2)
I just say I don't have an email address. I do use throw away email addresses when really needed to register to on line sites. Even my bank doesn't have my email address.
Profession: IT consultant
Your email: I don't have one!
Hehe...
Re: (Score:2)
This may be good enough for companies, that force registration needlessly. But there are other cases. Say, you buy something online — and want to get order confirmation and tracking number by e-mail? Or want your transit (bus or train) to warn you, they have a problem before you leave the house...
There are plenty of legitimate reasons to give your address to other people and companies alike and using "throw-away" addresses is not a good way to keep in touch. My way all of the message still arrive to
Re: (Score:2)
It depends how fast you throw them away. My slashdot throw away address has been valid for 10 years at least. Still, I can throw it away without impacting anything else if I want and yes all addresses end up in the same inbox and I can edit the sender in my email client to enter anything I want.
Despite all that, I rarely provide an email address and surely not to home depot.
Re: (Score:2)
Well, then you do have the same system I proposed only you have to go through the trouble of creating those throw-away accounts before you can use them.
By using the scheme I outlined (or your own domain) you don't need to pre-make the accounts — you+FOO@gmail.com (and/or FOO@yourdomain.com) already exists for an infinite (well, very large) variety of FOOs.
Re: (Score:2)
The thing is your method fails the modification test. heck excel or open office can easily parson the +XXX out of your email address quickly. Heck if you are smart you modify it before storing it.
His method is fool proof. personally I have an old juno.com account that I have to reactivate as it goes dormant every 6 months. when i need it reactivation takes seconds. and then once setup I ignore it.
Re: (Score:2)
It depends how fast you throw them away. My slashdot throw away address has been valid for 10 years at least. Still, I can throw it away without impacting anything else if I want and yes all addresses end up in the same inbox and I can edit the sender in my email client to enter anything I want.
You are going to love this:
https://www.absorb.it/virtual-... [absorb.it]
Virtual Identity is a Thunderbird addon that automatically puts the right "sender" address when you send an email. It is the reason that I'm married to Tbird.
Re: (Score:1)
Re: (Score:2)
Where do you set that up on Gmail? I never knew that!
Re: (Score:2)
You don't have to set anything up - just use the address tag when you supply an email address. It's still a valid email address (see link below), so will still get delivered to your inbox. The extra information in the tag/extension makes the address unique (if you made the tag info unique), so can be used to filter messages, sort them to subfolders etc. depending on what your mail provider supports. Different providers support different separators, Gmail happens to be one that supports the plus.
https://e [wikipedia.org]
Re: (Score:3)
Re: (Score:3)
always use an address like yourid+companyname-year@example.com.
You don't think spammers can learn to strip out the characters between the + and the @ ? If I was a spammer, I'd do that automatically. Hell, I'd probably keep the original, but also create the stripped version, and then spam them both.
Re: (Score:2)
always use an address like yourid+companyname-year@example.com.
You don't think spammers can learn to strip out the characters between the + and the @ ? If I was a spammer, I'd do that automatically. Hell, I'd probably keep the original, but also create the stripped version, and then spam them both.
I have my own domain, and my personal email goes to a traditional firstname.lastname@domain.tld, but when I sign up for anything, I'd prefer to use a unique address, so I have a prefix for such things, let's call it "xyz" and then +supplier-name, so xyz+amazon@domain.tld. When I sign up for something, I add a white-list entry for that address. Anything not white-listed (e.g. xyz-foobar) goes straight to spam.
I *do* forget to add white-list entries sometimes, but that's fine because I do check and manually
Re: (Score:2)
Meh.
I could easily do this, and I used to, but I decided I just don't care. I don't even worry about posting my e-mail address all over the Intenet. What does it cost me? More stuff for my spam folder, but GMail catches all of it, or so close to all of it as makes no difference. I have a message or two per week which slips past the filter, so I just click the "spam" icon and go on with life.
As for Home Depot, I really like the e-mailed receipts. I wish all stores offered that option; I'd give all of th
Re: (Score:2)
Anyone know why only the big email providers like Gmail/Hotmail/etc. support this, but a HostGator does not? Would be nice. Granted, on my personal domain, I can create all the email addresses I want, but would be nice to get this feature.
Re: (Score:2)
always use an address like yourid+companyname-year@example.com
That is an awesome tip!
Thanks!
Re: (Score:2)
And a load of smaller sites that I can make exceptions for 'cos they're small businesses and all... but that said, their web-devs are still crap.
I keep meaning to build a plus-address name and shame website just to highlight the amount of derpy devs there are.
That's the power of Home Depot (Score:2)
fight the power!
LOL (Score:5, Informative)
And they're a member of CurrentC who wants your bank account info, driver's license and SSN numbers. Who in their right mind would give the MCX or its members companies such info?
Re: (Score:2)
Oddly enough, though, the Home Depot locations around here still have their NFC terminals working, so I've been able to use Apple Pay.
Re: (Score:2, Insightful)
Exactly.
Also, to give you an idea of how bad these companies are at security and modern computing: We have to deal with Home Depot for EDI at my workplace. Home Depot requires the use of a specific Internet Explorer version 9.xx and Java builds that are 2+ years old to access their online EDI system. We can't even update our own computers because they are still stuck in 2009.
Don't give these people direct access to your bank accounts.
Yay for cheapest-bidder contracting! (Score:1)
Should have hired me instead asshats!
Who Loses Their Executive IT Position? (Score:3)
Seems like one of the jobs of IT departments for the last 10 years should have been to have their own surveillance software to be watching for activities that indicate software changes, moving of data, and added code that should be detectable so they can verify what is happening to their systems in near real time.
Re:Who Loses Their Executive IT Position? (Score:5, Interesting)
> moving of data,
If FDR hadn't fought so hard in 1935 against adding a check digit, monitoring for SSNs over the network would be so much easier. Canadian SIN have check digits so a couple of times we were able to detect suspicious file transfers. Yes, the US did a great job getting 25 million SSNs issued within three months, but we're still paying for that decision.
Re: Who Loses Their Executive IT Position? (Score:3)
Actually per the patriot act you have to give it to your bank. Your insurance company also needs it to report to the irs that you are compliant with the ACA. Lots of people need it and have a legal reason for it, sadly.
Re: (Score:2)
Re: (Score:2)
The SSN is a perfectly good identification number. It's terrible at authentication, though. If everybody treated the number as identification, and not as any sort of hint that the person supplying the number is the legitimate person for that number, there wouldn't be any problem.
Re: (Score:2)
While I have a problem with SSN numbers used for identification, mostly due to principles, in that they aren't supposed to be. The bigger problem with using them as ID for everything, is that your personal, global credit/debt history/report is tied to this number, along with IRS record
Re: (Score:2)
Right, the problem is with people misusing other people's SSNs. The reason they can get away with this is that approximately nobody asks for proper authentication. Instead, they pretend that the SSN is authentication. A scheme where you're assigned a number that you can't change that is used for authentication is either incredibly stupid or incredibly callous.
Similarly, ID theft isn't really ID theft. It's a particularly nasty form of fraud that institutions go along with because it's no problem of t
Time to switch to CurrentC and... (Score:2)
Running Windows and offshoring to India (Score:3)
Yes, Home Depot offshored significant amounts of their admin. THis allows India to work on the computers in the middle of the night. However, like target, and the others, it enables ppl that have NO VESTED INTEREST in the company, or the nation, to have access to production.
This will continue as long as companies continue to cheat.
Re: (Score:1)
Portions of Home Depot's network? (Score:1)
What Operating System did this self-checkout system run on?
Never shop there anymore anyway (Score:2)
CurrentC save us! (Score:2)
Home Depot's Apology Email to Customers (Score:2)
Dear Valued Customer,
The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.
In all likelihood this event will not impact you, but we recommend that you be on the alert for phony emails requesting personal or sensitive information. If you have any questions or would like additional information on how to protect yourself from email scams, please visit our website or call 1-800-HOMEDEPOT.
Again, we apologize for the frustration and inconvenience this incident may have caused. Thank you for your continued support.
Sincerely,
The Home Depot
I was struck by how the letter did not say anything about what HD has done to ensure that something like this will not happen again to them.
I believe the breach has reached my address (Score:1)