53 million email addresses have been stolen during the five-month data breach at US retail major Home Depot, in addition to the hacking of 56 million debit and credit card details previously disclosed.
The latest revelations follow a weeks-long probe into the hacking attack by the retailer, together with law enforcement officials.
While warning customers in US and Canada to be cautious about phishing scams, the retailer claims that the stolen files with email addresses did not have passwords, payment card data or other confidential personal data.
According to the US retailer, the hackers gained access to its network through a vendor’s user name and password and then stole data through malware on payment systems in the US and Canada.
Home Depot said in a statement: "The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada."
"As previously disclosed, the malware used in the attack had not been seen in any prior attacks and was designed to evade detection by antivirus software, according to Home Depot’s security partners.
"As the company announced on September 18, the hackers’ method of entry has been closed off and the malware has been eliminated from the company’s systems."
Jason Hart, VP Cloud Solutions, SafeNet, commented: "This is yet another breach where hackers are not only targeting financial information, but personally identifiable information like email addresses that consumers hold dear. Security is only as strong as your weakest link and in this case it wasn’t even Home Depot but one of its vendors. Relying on simple passwords is a mistake. This massive breach reinforces why more companies need to implement multi-factor authentication not only for their own employees, but for third-parties that access their data and systems. Unfortunately, only a third of companies are doing this today."