Customers of Home Depot Canada have reported that the retailer had mistakenly sent them hundreds of emails that contained the order information of other customers – a major leak that raises the risk of item and identity theft, according to Insurance Business Canada.
Users had reported that they received as many as 600 “order ready for pickup” reminder emails and shipment-related notifications. The recipients of the emails were also alarmed that the orders were not associated with their own Home Depot accounts.
BleepingComputer obtained copies of the misplaced Home Depot emails, reporting that they disclose very sensitive customer information, such as customer names, home addresses, order numbers, ordered items, and the last four digits of their payment card numbers.
It was noted that most of the emails were reminder messages automatically generated by Home Depot’s systems for customers who specified that their item orders were for in-store pickup but have yet to pick up their orders. All the item order emails were for orders placed between October 24th & 25th, and the first available pickup day listed on the emails was October 26th.
One Home Depot Canada customer, Spencer K. Monckton, warned the retailer on Twitter about the leak after he received the flood of emails. Monckton also told BleepingComputer that in the “To:” line of each email, there were multiple other email addresses listed – as many as 544.
“Interestingly, the first email I got included only 83 email addresses, then the next one 84, then 85, then 86, etc.,” Monckton said in a statement. “So it seems like the system worked through all the reminders scheduled to be sent, appending each new customer email to a growing list as it went.”
Monckton warned that this “blunder” might lead to email recipients picking up strangers’ orders.
“In some cases, it’s possible to match up the first name with an email address from the to line. In theory it’s possible to pick up these people’s orders using the order number/QR code, since Home Depot doesn’t always check ID for customers when they show up for curbside pick-up. Quite a blunder!”