Multiple reports emerged from Home Depot customers in Canada stating a possible data breach involving order confirmation mixed up.
About 600 users received a random email from the home improvement company, containing other people’s order confirmation and shipment-related notifications. Alarmed customers called the attention of the company, tweeting about the incident.
Some emails are said to contain personal information of Home Depot customers, including names, home addresses, order numbers, ordered items, and partial card information. In a massive data leak, cybersecurity firm BleepingComputer said the incident calls for an investigation.
An affected customer post an update on Twitter, saying, “Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong.”
The user added that the home improvement giant mistakenly emailed 400 to 500 emails to more than 500 people. After the tweet blew off, Home Depot finally made a response citing that the issue ‘has been fixed.’
A little to no information was included in Home Depot’s tweet, not even clarifying if the incident was a breach or a simple mix up. Instead, they clarified that the ‘issue’ impacted a very small number of customers who had in-store pickup orders.
Meanwhile, more people are claiming they’re not purely in-store pickup orders. Another user said ‘This is a very serious data breach that has affected at least 900 consumers, not just in-store pick up. My online order was sent to 300 people, and I received the online orders of 43 others.”
In a matter of hours, Home Depot finally cleared the information after being called out on the in-store claim. The company said on Tuesday, Oct. 27, they’ve discovered a system error on the Canadian Home Depot website, impacting a ‘small number of Canadian customers.’
The company also clarified that no emails contained any passwords and un-hashed payment card information. However, security experts claim that this email mix up could lead to exposure to more dangerous cyberattacks.
With emails containing links to check order status, then redirecting customers to an online portal that asks for sign-in credentials. This technique is known as email phishing, causing further damage to customer’s accounts and personal information.
In addition, other people can also head to a particular address and guise as a Home Depot delivery person, only to deliver the wrong item.
This particular incident isn’t the first time, as the home improvement giant suffered a data breach in 2014 when the company agreed to pay $19.5 million to compensate affected individuals.