Expert: Credit data stolen from every Home Depot

You probably don’t have to wonder whether your local Home Depot store was one of the ones where credit card information was stolen by, presumably, Russian hackers. It was, Brian Krebs, the online security expert says.

Krebs has checked out what credit card information is being sold online by the hackers and he finds that card information from virtually every Home Depot store in the country is included.

In all, there were 1,822 ZIP codes represented in the card data for sale on Rescator’s site, and 1,939 unique ZIPs corresponding to Home Depot store locations (while Home Depot says it has ~2,200 stores, it is safe to assume that some ZIP codes have more than one Home Depot store). Between those two lists of ZIP codes, there are 10 ZIP codes in Rescator’s card data that do not correspond to actual Home Depot stores.

Finally, there were 127 ZIP codes for Home Depot stores that were not in the list of ZIPs represented in Rescator’s card data. However, it’s important to note that the data pulled from Rescator’s site is almost certainly a tiny fraction of the cards that his shop will put up for sale in the coming days and weeks.

What does all this mean? Well, assuming Home Depot does confirm a breach, it could give us one way to determine the likely size of this breach. The banks I spoke with in reporting this story say the data they’re looking at suggests that the breach probably started in late April or early May.

To put that in perspective, the Target breach impacted just shy of 1,800 stores, lasted for approximately three weeks, and resulted in the theft of roughly 40 million debit and credit card numbers. If a breach at Home Depot is confirmed, and if this analysis is correct, this breach could be much, much bigger than Target.

Krebs recommends the usual action by consumers: Monitor your accounts for unusual activity and don’t depend on banks to alert you of fraudulent activity. Because the stolen credit card numbers come from so many different zip codes, purchases may not look particularly unusual to the banks and credit card companies.

The ZIP code data allows crooks who buy these cards to create counterfeit copies of the credit and debit cards, and use them to buy gift cards and high-priced merchandise from big box retail stores. This information is extremely valuable to the crooks who are purchasing the stolen cards, for one simple reason: Banks will often block in-store card transactions on purchases that occur outside of the legitimate cardholder’s geographic region (particularly in the wake of a major breach).

Thus, experienced crooks prefer to purchase cards that were stolen from stores near them, because they know that using the cards for fraudulent purchases in the same geographic area as the legitimate cardholder is less likely to trigger alerts about suspicious transactions — alerts that could render the stolen card data worthless for the thieves.

Related: Home Depot Tries to Reassure Customers About Possible Data Breach (WSJ).

I Feel Nothing: The Home Depot Hack And Data Breach Fatigue (NPR’s All Tech Considered).