The company also said it had eliminated the malware behind the attack from its payment systems.
Card readers that encountered the malware, which Home Depot said was a custom strain its security team had never seen before, were removed from service. The company is also beefing up its payment data encryption capabilities and other security measures.
Cybersecurity expert Brian Krebs first discovered affected card numbers for sale on Sept. 2, the same day Home Depot says it began its investigation. The company later confirmed that hackers broke into its payment system possibly as far back as April.
“We apologize to our customers for the inconvenience and anxiety this has caused, and want to reassure them that they will not be liable for fraudulent charges,” said CEO Frank Blake in a statement.
The company is offering identity protection services to any customer that has used a card in its stores since April.
The Home Depot hack is far from the biggest in history — a distinction that belongs to Adobe — but it did outrank the 40 million cards exposed in Target’s holiday season breach last year.