NEW YORK (TheStreet) -- Home Depot (HD) has acknowledged the credit card breach reported last week but has yet to offer details, which instead are coming mainly from a security blogger named Brian Krebs, formerly a reporter at The Washington Post.
Although the company has yet to acknowledge the full extent of the breach, millions of card numbers may be for sale through a crime shop called Rescator.
Read More: 7 Stocks Warren Buffett Is Selling in 2014
According to Krebs' blog, the damage may not be limited to Home Depot. Because thieves stole customers' addresses and those of the stores from which data were stolen, as well as card numbers, and because so many stolen numbers are now in circulation, some thieves have been able to change the PINs used on victims' ATM cards and clear accounts of cash. One large West Coast bank lost $300,000 in a matter of hours, Krebs reported.
The fraud points to a more general problem with bank security, Krebs wrote, the ability of people to change PINs with a phone call through a Voice Response Unit. When a thief obtains a full name and address, they are often able to obtain other data, such as a victim's date of birth and Social Security number, allowing this fraud to take place.
Krebs reports that the malware infecting Home Depot point-of-sale systems is a version of the BlackPOS program that infected Target (TGT) last year, which runs under Microsoft (MSFT) Windows. The new version, according to Trend Micro, can capture all numbers in a cash register's memory, not just ongoing transactions.