Home Depot Possibly Hit by Massive Credit Card Theft

Credit: The Home Depot

(Image credit: The Home Depot)

UPDATE 9/3/2014 3pm EST: Updated to include Home Depot's new statement about the possible breach.

UPDATE 9/3/2-14 3:30pm EST: Updated to include Brian Krebs' new findings apparently confirming the Home Depot breach.

A huge trove of stolen credit- and debit-card numbers appeared on online black markets today (Sept. 2), and early signs point to American home-improvement store Home Depot as the source of the numbers. If so, the data breach might rival last year's Target attack in number of customer accounts affected, and may even be a result of attack by the same group of online criminals.

Independent information-security reporter Brian Krebs, who was the first to report the Target breach, disclosed the Home Depot evidence on his blog today. A Home Depot spokeswoman told Krebs the company was investigating "some unusual activity" and "working with [its] banking partners and law enforcement to investigate."

MORE: How to Survive a Data Breach

This latest card data is being sold on a well-known "carder" forum called Rescator, on which the Target data was also sold last fall. Perhaps humorously, the stolen data is packaged under the names "American Sanctions," containing US credit and debit cards, and "European Sanctions," for European cards — possible references to U.S. and European Union trade sanctions placed on Russia for its military activities in Ukraine.

Krebs reports that the attack may have begun in April or May of this year, and could affect all of Home Depot's 2,200 U.S. locations and perhaps even its 287 other locations outside the U.S. By comparison, the Target data was stolen over three weeks in about 1,800 store locations and netted 40 million stolen credit and debit cards.

There's no indication as of yet what kind of malware was used to steal the card numbers, and the theft may not be linked to the Backoff malware that apparently hit The UPS Store in August. We will update this story as more information becomes available.

UPDATE: Home Depot has released a statement on its corporate website. It has yet to confirm the data breach, but does say that it is continuing its investigation and that customers "will not be responsible for any possible fraudulent charges."

"If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers," the statement reads. 

UPDATE: Brian Krebs is now on Wednesday reporting that the Home Depot breach appears to involve "nearly all" US Home Depot stores, according to evidence on the underground cybercrime website Rescator [dot] cc.

It appears the stolen credit- and debit-card data located on Rescator (which many people suspected was stolen from Home Depot stores) has been organized by ZIP code of the given card. This makes the information easier to sell to other would-be fraudsters, and easier for those fraudsters to use.

Krebs matched those ZIP codes with the ZIP codes of Home Depot's US locations, and found a 99.4 percent overlap. 

At time of this update Home Depot still hasn't officially confirmed that it was breached, but the evidence that this known trove of stolen card data came from Home Depot stores is growing stronger.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.