[BreachExchange] Home Depot Confirms Data Breach in Order Confirmation SNAFU

Fri Oct 30 10:41:10 EDT 2020

https://threatpost.com/home-depot-data-breach-order-confirmation/160728/

Hundreds of emailed order confirmations for random strangers were sent
to Canadian customers, each containing personal information.

Home Depot has exposed the private order confirmations of hundreds of
Canadian consumers, containing names, physical addresses, email
addresses, order details and partial credit-card information.

After customers began reporting that they had received hundreds of
emails from the home-improvement giant, each containing an order
confirmation for a stranger, the company confirmed the issue.

One affected customer posted a screenshot of his inbox on Twitter,
filled with random people’s order confirmations, tweeting: “Hey um…
I’m pretty sure I received a reminder email for literally every online
order that is currently ready for pick up at literally every Home
Depot store in Canada. There are 660+ emails. Something has gone
wrong.”

He added, “you are almost certainly aware by now that you sent
four-to-five-hundred emails to each of 527 people by mistake.”

The company was quick to respond, although it didn’t provide many details.

“Thank you for reaching out to us,” Home Depot Canada tweeted on
Wednesday. “We are aware of what occurred this morning and can confirm
that this issue has now been fixed.  This issue impacted a very small
number of our customers who had in-store pick-up orders. Please DM us
with any additional questions.”

But the issue seems to have affected multiple hundreds of people, and
not just in-store pickup orders:

Home Depot Canada confirmed the impact to online shoppers in a later
tweet after being called out on the in-store only claim.

In response to an inquiry asking how the breach happened and asking
for more concrete details on who was affected, the DIY specialist told
Threatpost: “Tuesday evening, we discovered a systems error on select
http://Homedepot.ca orders impacting a small number of our Canadian
customers. Some customers may have received multiple emails for orders
they did not place. This issue has been fixed. None of the emails
contained passwords or un-hashed payment card information.”

It’s unclear exactly what details these particular order confirmations
included; Home Depot order confirmations sent in the past to
Threatpost staff include full names and addresses, details and cost of
the items ordered, phone numbers if provided for delivery purposes,
and links to “check order status.” Clicking that link takes customers
to an online portal to sign in, which could conceivably lead to the
exposure of more information if cyberattackers were able to
brute-force the credentials.

If past data exposures are any indication, the information is enough
to craft convincing phishing and fraud messages. Additionally, it
could even allow someone to show up at a house under the guise of
being a delivery person, or conceivably allow someone to pick up an
in-store order that wasn’t theirs, if strict ID checking weren’t in
place. Threatpost has asked researchers for their take on the
seriousness of the issue and will update this post accordingly.

Home Depot was the subject of one of the most high-profile data
breaches ever to come to light, with 50 million credit card numbers
stolen and 53 million email addresses pilfered by unknown attackers in
2014. The place for “doers” agreed in 2018 to pay $19.5 million to
compensate the victims of the incident, which stemmed from attackers
using compromised vendor credentials to gain access to its network and
then the company’s point-of-sale system.