Earlier this year, Home Depot in the US confirmed that 56 million cards had been compromised, in one of the biggest retail security breaches in history. Now we know that much like the Target hack — which was traced to a heating company — Home Depot was infiltrated by custom malware and passwords stolen from a third party vendor.
An article in the Wall Street Journal has lots of new information about the hack, including the fact that the attackers made entry by stealing a vendor's username and password to get into Home Depot's payment system. In addition, we now know 53 million email addresses were stolen. Before all we knew was that 56 million had been exposed.
The weak point was a Windows vulnerability that allowed hackers to access the Home Depot system through a vendor's connection and start collecting proprietary sales information. Turns out Home Depot's system was a little too exposed to vendors who didn't have as much security as maybe they should have.
Microsoft did issue a fix for the bug in Windows, but it came too late; by then the hackers were already able to move freely through the system. The attack focused specifically on the self-service checkout systems, about 7,500 of which are found in stores nationwide. For about five months the hackers collected data undetected, mostly because the malware was written to erase itself without a trace. [WSJ]