Home Depot Blunder Emails Customer Order Info To Strangers

Today multiple reports have emerged from Home Depot customers in Canada stating that the company had sent them hundreds of emails containing order information of strangers.

Multiple users received upwards of 600 “order ready for pickup” reminder emails, each pertaining to a different order.

What alarmed hundreds of users was the orders were not associated with their Home Depot accounts.

BleepingComputer has obtained copies of these emails that divulge information such as the customer’s name, order number, ordered items, and partial payment card information.

Mailboxes flooded with random order pickup notifications

A Home Depot Canada customer, Spencer K. Monckton tweeted to the company today:

“Hey um… I’m pretty sure I received a reminder email for literally every online order that is currently ready for pick up at literally every Home Depot store in Canada. There are 660+ emails. Something has gone wrong.”

The order numbers and the information contained within these emails had no relation to Monckton’s account.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Characters

Eventually, more reports surfaced over Twitter showing screenshots and videos of users’ flooded mailboxes due to what appeared to be an email system snafu.

The emails obtained by BleepingComputer reveal information such as the customer’s name, order number (with QR code), pick-up store address, items in the order, the payment amount, and last 4 digits of payment card number.

Monckton further told BleepingComputer he had received 467 emails in total between 2:32 AM and 3:29 AM EDT.

All emails related to online orders placed between October 24th and 25th, submitted for in-store pick ups. The first available pick-up day on these was Monday (October 26th).

The customers having failed to pick up the orders generated these reminder emails.

“One of the emails I got was for my own order (the first one, incidentally), but the other 466 were intended for people all across Canada, in both official languages,” he said.

“In the ‘To:’ line of each email, there were numerous other email addresses listed – up to a maximum of 544. Interestingly, the first email I got included only 83 email addresses, then the next one 84, then 85, then 86, etc. So it seems like the system worked through all the reminders scheduled to be sent, appending each new customer email to a growing list as it went. Hard to say how many customers were likely to be impacted, but you can see from @bethanyfrances’ tweet that it wasn’t just reminder emails,” Monckton told BleepingComputer.

Also Read: Contract for Service Template: 5 Important Sections

Monckton called this quite a “blunder” as in some cases it may be possible for the email recipients to pick up strangers’ orders as Home Depot staff may not always ask for identification, according to him.

“In some cases it’s possible to match up the first name with an email address from the to line. In theory it’s possible to pick up these people’s orders using the order number/QR code, since Home Depot doesn’t always check ID for customers when they show up for curbside pick-up. Quite a blunder!”

Reply-All and “CC” adds even more noise

To add more misery to an already terrifying situation, the order emails had several customers CC’d on them. 

This means any customer using the “Reply All” button would be responding not only to Home Depot Canada but all the customers who had received the order information in error.

“This morning I woke up to hundreds of emails from @HomeDepotCanada about picking up orders… Must have some sort of system error. While I thought that was annoying I’ve realised what is worse is all the people now “replying all” panicking about their orders,” tweeted Lauren Birch along with a video of their flooded mailbox.

When asked about the incident, Paul Berto, director, corporate communications at The Home Depot Canada told BleepingComputer:

“Tuesday evening, we discovered a systems error on select Homedepot.ca orders impacting a small number of our Canadian customers. Some customers may have received multiple emails for orders they did not place.”

“This issue has been fixed. None of the emails contained passwords or un-hashed payment card information. We apologize for the concern this has caused our customers, and we thank them for their patience and support as we quickly worked through this issue,” Berto told BleepingComputer.

Home Depot Canada also stepped in on Twitter threads they were tagged in, clarifying that the incident had impacted a “very small number” of customers with store pick-up orders scheduled.

Customers not convinced about “very small number”

Despite the company’s claims, several customers called out Home Depot for the “VERY serious data breach” and refuted that this had impacted only a few customers:

bethanyfrances’ concern has merit to it considering the user’s private information which included partial payment card information was leaked to hundreds of strangers.

The user further said they were reporting the major data breach to Canada Privacy Commissioner and encouraged others to follow their lead.

While the incident did not expose overtly sensitive information such as complete payment card data or user passwords, it is still a serious privacy breach.

Receiving not a few—but hundreds of emails with full names, addresses, partial payment card numbers, and order info of random strangers will ring anyone’s alarm bells.

In 2014, Home Depot had experienced a data breach that compromised credit card details of 56 million users.