Home Depot said hackers stole 53 million email addresses in addition to the customer data for 56 million payment cards previously disclosed in September.
Hackers used a third-party vendor’s user name and password to enter the perimeter of its network, the retailer said on Thursday.
“Customers should be on guard against phishing scams, which are designed to trick customers into providing personal information in response to phony e-mails,” the company said.
Home Depot’s breach comes weeks before holiday shopping goes into overdrive, on Black Friday — the day after Thanksgiving.
The breach at the home improvement retailer surpassed Target’s pre-Christmas 2013 data theft, which compromised 40 million credit and debit cards and hurt sales and profits. Since late 2014, Michaels, SuperValu and Neiman Marcus have been among a string of retailers that have also reported breaches, though they were smaller.
While shoppers appear to have grown numb to the hacks, the breaches have forcing changes in retailing.
Home Depot’s latest revelation was “really lipstick on a pig” and the proper solution is to add chip and PIN, or EMV technology, to U.S. credit cards, said David Campbell, chief security officer at SendGrid, a cloud-based email delivery service.
Target’s breach pushed banks, retailers and card companies to increase security by speeding the adoption of microchips in U.S. credit and debit cards, which supporters say are more secure.
Home Depot reiterated Thursday that it will be activating chip-enabled checkout terminals at all of its U.S. stores by the end of the year.
The file containing the email addresses did not contain passwords or other sensitive personal information, according to Home Depot. However, it said that customers should be on guard against phishing scams. Phishing attacks are sent through texts or emails and try to trap you into disclosing personal information.
The company is notifying affected customers in the U.S. and Canada.
Home Depot said that the hackers initially accessed its network in April with a third-party vendor’s username and password. Home Depot said hackers stole information through malware installed on self-checkout systems in the U.S. and Canada. That’s similar to what happened at Target where thieves hacked into the password of a third-party supplier.
Home Depot said it expects to pay about $62 million this year to recover from the incursion, including additional costs for call-center staffing and legal expenses. Insurance will cover $27 million of that tab, the company said.