Home Depot has confirmed that its payment systems were breached at U.S. and Canadian stores, the retailer said on Monday (Sept. 8).
The breach may have begun as early as April 2014, according to the chain, which is offering free identity protection services and credit monitoring to customers who have shopped at Home Depot stores since April.
The Home Depot breach shows increasing signs of involving the same attackers who stole payment card data from Target point-of-sale systems, Krebs on Security reported.
At least some Home Depot stores were infected with a variant of the BlackPOS malware that was also used in the Target attacks that exposed 40 million customer card accounts, according to a source close to the investigation.
In addition, card numbers that appear to have been stolen from Home Depot systems were being sold on the same underground cybercrime website where millions of card numbers from the Target attack were sold. At least nine large batches of card numbers stolen from Home Depot have been put up for sale over several days, in a pattern similar to several dozen batches of stolen card numbers from Target that were offered for sale over a three-month period.