Hackers made off with a whopping 53 million email addresses as part of the high profile April breach of Home Depot in which 56 million credit cards were compromised, the company says.
The haul bagged enough email addresses to contact everyone in England, but it was unknown if the information had been implicated in further attacks or sold off on underground criminal forums.
Unnamed breach investigators revealed the email plunder to the Wall Street Journal after two months of probing, adding new detail to a story about lax security controls at the retail giant that allegedly included outdated anti-virus and poor auditing.
Retiring chief executive Frank Blake told the paper last month that its security systems "could have been better", noting that "data security just wasn't high enough in [its] mission statement".
Former staff alleged security controls were weak at the retail giant and were told "we sell hammers" when they reported security risks to executives.
Carders broke into Home Depot by exploiting a then zero-day Microsoft vulnerability that allowed them to escalate privileges – and move laterally through the network identifying (through assigned name) the payment terminals at 7,500 self check-out lanes, which they later compromised.
The breach could have been a lot bigger, investigators said, if carders had recognised 70,000 additional registers that had been named by number.
The crims remained hidden for five months, infiltrating the network during only US business hours to stay under security radars.
Chief information officer Matt Carey noticed the breach on 2 September after the US Secret Service detected some credit cards for sale on carding marketplace Rescator. The fraud shop was later found to be stuffed with stolen payment details after a spate of high profile breaches.
The initial infection point was a server in Miami, Florida, during laborious encryption upgrades in the wake of the Target breach. ®