Home Depot Email Snafu - ThreatWire
Added 2020-11-03 17:03:31 +0000 UTCBy Shannon Morse, ThreatWire
Hundreds of Canadian customers of Home Depot were met with an onslaught of hundreds of Home Depot confirmation emails when they opened their inbox - which ended up being the results of an internal systems error, not a data breach. On October 28, multiple Home Depot Canada customers started tweeting and contacting Home Depot about receiving emails that were not associated with themselves in their inbox. For example, one user shared a screenshot, showing 660+ unread emails from Home Depot, each pertaining to a different customer with a different order number.
These emails were pickup order reminder emails, and each order number was sent to hundreds of recipient email addresses. None of these emails were BCC’d either, so each recipient could not only see the contents of the email, but also see hundreds of other email addresses it was sent to. Each pick up order confirmation included order details like product, price, quantity, and partial credit card information, but also names, emails, and home addresses, with some phone numbers.
Home Depot originally tweeted that this only affected in-store customers, but it also affected Homedepot. CA customers as well.
A link to check the order status on Home Depot Canada’s website was also included in each email, which means an attacker could click the link, use the email address and a brute forced password to obtain more information on each customer, potentially leading to more concerns. With the emailed personal data, an attacker could craft phishing emails or social engineer their way into picking up other people’s orders, if Home Depot Canada wasn’t strictly checking each ID for each pickup.
Given how much information is online about consumers, it wouldn’t take much work for a malicious actor to use the names and home addresses, along with details from social media, to create a “dossier” on anyone they’re interested in, potentially leading to stalking or trespassing. What sounds like a simple misconfiguration of customer data by Home Depot Canada should be considered a major security concern, and affected individuals can report the company to the Canada Privacy Commissioner, as one twitter user recommended.
Consumers can take steps when ordering from companies - you can open a public facing address online using a virtual service, or use a local postal service alongside a secondary phone number, such as a google voice number. Using a virtual credit card number, gift card, or secondary credit card can also help when privacy issues like this occur.
Links:
Watch this full episode on youtube: https://youtu.be/vndloinbALk
Home Depot data leak:
https://twitter.com/HomeDepotCanada/status/1321600523485745152
https://threatpost.com/home-depot-data-breach-order-confirmation/160728/
https://twitter.com/HomeDepotCanada/status/1321485206260514818
https://twitter.com/bethanyfrances/status/1321503250907103232
