Home Depot, the world’s largest home improvement chain, said about 53 million email addresses were stolen during a recent breach of its payment data systems, in addition to some 56 million payment cards previously disclosed by the retailer.
The company, which confirmed the theft in September, said the stolen files that contained the email addresses did not include passwords, payment card information or other sensitive personal information.
Home Depot, which had estimated that the breach would cost about $62 million, was one of a string of U.S. retailers attacked by hackers over the past year.
Criminals used a third-party vendor’s user name and password to enter the perimeter of its network, Home Depot said in a statement on Thursday.
The hackers then acquired “elevated rights” that allowed them to navigate parts of Home Depot’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada, according to the company.
Home Depot said the stolen credentials did not alone provide direct access to the company’s point-of-sale devices.
Since September, the company has implemented enhanced encryption of payment data in all U.S. stores and said the rollout to Canadian stores will be completed by early 2015.
This, however, was “really lipstick on a pig” and the proper solution was to add chips and PINs, or EMV technology, to U.S. credit cards, said David Campbell, chief security officer at SendGrid, a cloud-based email delivery service.
Home Depot said it was already rolling out the EMV technology.
The company reaffirmed its 2014 sales growth forecast of about 4.8 percent and earnings per share forecast of $4.54.
The forecast includes estimates for the cost to investigate the data breach and provide credit monitoring services to its customers as well as legal fees, the company said.
The company maintained that it has not yet estimated the impact of “probable losses” related to the breach.
“Those costs may have a material adverse effect on The Home Depot’s financial results in the fourth quarter of fiscal 2014 and/or future periods,” the company said.
Last year, Target was the target of a breach in which attackers used log-in information taken from a company responsible for maintaining the heating and air conditioning systems in its stores. That attack and one carried out against the investment firm J.P. Morgan were similar to the Home Depot breach in that they involved information taken from third-parties, said Chris Wysopal, CTO at Veracode, a software security firm.
“It is clear that the theft of third-party vendor credentials is a big risk for enterprises after seeing this attack vector used in recent major breaches,” Wysopal told Re/code. “Enterprises should adopt two-factor authentication for vendors who require access to their corporate networks and applications.”
Home Depot shares closed up 1.6 percent at $97.29 per share on Thursday on the New York Stock Exchange.
(Reporting by Devika Krishna Kumar in Bangalore; additional reporting by Arik Hesseldahl for Re/code; editing by Rodney Joyce and Joyjeet Das.)
This article originally appeared on Recode.net.