According to preliminary results of an investigation into the September mega-breach of Home Depot, the company says that hackers gained access to Home Depot's network via a third-party vendor system.

Cybercrooks gained access to the US retail company via ineffective password security through an unnamed third party vendor's system allowing them to run stepping stone attacks that allowed them to achieve the objective of planting malware on sales terminals.

Home Depot release this statement:

Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network. These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the US and Canada.

Third parties were also blamed for the breaches at Target and JPMorgan. Target was broken into through the HVAC vendor. JPMorgan was accessed via a third party website.

During the September mega-breach, Home Depot admitted that hackers gained access to 53 million email addresses which also led to the theft of data from 56 million credit/debit cards.