Home Depot has exposed the private order confirmations of hundreds of Canadian consumers, containing names, physical addresses, email addresses, order details and partial credit-card information.
After customers began reporting that they had received hundreds of emails from the home-improvement giant, each containing an order confirmation for a stranger, the company confirmed the issue.
One affected customer posted a screenshot of his inbox on Twitter, filled with random people’s order confirmations, tweeting: “Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong.”
He added, “you are almost certainly aware by now that you sent four-to-five-hundred emails to each of 527 people by mistake.”
The company was quick to respond, although it didn’t provide many details.
“Thank you for reaching out to us,” Home Depot Canada tweeted on Wednesday. “We are aware of what occurred this morning and can confirm that this issue has now been fixed. This issue impacted a very small number of our customers who had in-store pick-up orders. Please DM us with any additional questions.”
But the issue seems to have affected multiple hundreds of people, and not just in-store pickup orders:
This is a VERY serious data breach that has affected at least 900 consumers, not just in-store pick-up. My ONLINE ORDER was sent to 300 people, and I received the ONLINE ORDERS of 43 others. Names, home addresses, order info and credit card info was all shared 🙁 @HomeDepot
— bethanyfrances (@bethanyfrances) October 28, 2020
Home Depot Canada confirmed the impact to online shoppers in a later tweet after being called out on the in-store only claim.
In response to an inquiry asking how the breach happened and asking for more concrete details on who was affected, the DIY specialist told Threatpost: “Tuesday evening, we discovered a systems error on select http://Homedepot.ca orders impacting a small number of our Canadian customers. Some customers may have received multiple emails for orders they did not place. This issue has been fixed. None of the emails contained passwords or un-hashed payment card information.”
It’s unclear exactly what details these particular order confirmations included; Home Depot order confirmations sent in the past to Threatpost staff include full names and addresses, details and cost of the items ordered, phone numbers if provided for delivery purposes, and links to “check order status.” Clicking that link takes customers to an online portal to sign in, which could conceivably lead to the exposure of more information if cyberattackers were able to brute-force the credentials.
If past data exposures are any indication, the information is enough to craft convincing phishing and fraud messages. Additionally, it could even allow someone to show up at a house under the guise of being a delivery person, or conceivably allow someone to pick up an in-store order that wasn’t theirs, if strict ID checking weren’t in place.
“The data release from some of Home Depot’s customers in Canada is unusual, in that the breach seems to be the result of an internal system error rather than an external attack,” Saryu Nayyar, CEO at Gurucul, said via email. “Still, releasing home and email addresses and recent order confirmations could be gold for a malicious actor. Personal information like that can be leveraged into a convincing phishing email, which could lead to the affected customers becoming victims.”
She added, “While this appears to be a misconfiguration, there are tools available that can identify misconfigured systems and recognize unusual behavior to keep data breaches like this one from happening.”
Home Depot was the subject of one of the most high-profile data breaches ever to come to light, with 50 million credit card numbers stolen and 53 million email addresses pilfered by unknown attackers in 2014. The place for “doers” agreed in 2018 to pay $19.5 million to compensate the victims of the incident, which stemmed from attackers using compromised vendor credentials to gain access to its network and then the company’s point-of-sale system.
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinaron healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.