A third-party backdoor and a Windows vulnerability helped the Home Depot hackers plunder 56 million card transaction at the point-of-sale and escape with an additional 53 million email addresses, the US home improvement chain has revealed.
In an update on the massive data breach, the firm says that the thieves used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network.
The hackers then exploited a flaw in Windows to acquire elevated rights that allowed them to navigate through the company's IT systems and plant custom-built malware on its self-checkout systems in the US and Canada.
In addition to the previously disclosed payment card data, separate files containing approximately 53 million email addresses were also taken during the breach. The files didn't contain user passwords, but the company is warning all customers to be on guard against phishing attacks.