NEW YORK (CNNMoney) — There are more details out about Home Depot’s recent security breach, which was worse than first thought.
An investigation found that 53 million customer email addresses were taken during the breach, in addition to the compromise of 56 million credit and debit cards the company had previously disclosed.
The hackers got into Home Depot’s systems by stealing the username and password of a third-party vendor, the company said Thursday. A spokesman would not give any details about the vendor.
The stolen username and password did not give the criminals direct access to Home Depot’s payment system. But it did give the hackers access to a part of the company’s network from where they could deploy malware on self-checkout systems in stores in the U.S. and Canada.
The malware was a custom strain that Home Depot’s security team had never seen before. The card readers that were affected have since been removed from stores. The company is also beefing up its payment data encryption capabilities and taking other security measures.
The stolen email addresses were in files that did not contain passwords or payment card information. These files were separate from the credit and debit card data that was taken.
Home Depot is notifying affected customers. They should be on guard against any phony emails designed to trick people into providing personal information.