Home Depot Confirms Data Leak after Canadian Shoppers Receive Random Order Confirmation Emails

Inboxes of Canadian Home Depot customers were flooded with hundreds of order confirmation emails revealing the personal information of random shoppers earlier this week.

According to social media reports, the emails contained names, home addresses, emails, and even partial credit-card information that could be viewed by unauthorized recipients.

The incident caused a stir, as worried customers flocked to the Home Depot Twitter page expressing their concerns:

“@HomeDepotCanada
Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong,” one worried customer tweeted.

“@HomeDepotCanada
I’m up to 100 emails AND COUNTING of shipping confirmations for other people’s orders from your store, received within the last hour. This is absurd. One every 5 seconds. Huge data breach,” another customer said.

A different user noted additional concerns. “This is a VERY serious data breach that has affected at least 900 consumers, not just in-store pick-up,” she said. “My ONLINE ORDER was sent to 300 people, and I received the ONLINE ORDERS of 43 others. Names, home addresses, order info and credit card info was all shared 🙁 @HomeDepot.”

Stop guessing what the internet knows about you. Find out with Bitdefender”s Digital Identity Protection!

The home-improvement retailer said the issue impacted a limited number of customers and has now been addressed.

“We are aware of what occurred this morning and can confirm that this issue has now been fixed,” Home Depot tweeted. “This issue impacted a very small number of our customers who had in-store pick-up orders.”
Paul Berto, corporate communications director at The Home Depot Canada, also told BleepingComputer that, while “some customers may have received multiple emails for orders they did not place”, “none of the emails contained passwords or un-hashed payment card information.”