In a statement late Monday, the do-it-yourself retailer said customers who used credit or debit cards at stores in Canada and the U.S. could be affected by the breach. It was the first confirmation of a suspected breach reported last week.
Home Depot says there is no evidence that PIN numbers were snatched.
Home Depot is offering free identity protection, including credit monitoring to any customer who used a card at a Home Depot store from April 2014 on.
“We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred,” Home Depot CEO Frank Blake said in a prepared statement.
“It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”
The company said it continues to investigate the full scope and impact of the attack.
It began its investigation Sept. 2 after being alerted by banking partners and law enforcement agencies of a cybercrime attack on its payment systems.
Home Depot will step up the rolling out of chip and PIN technology to its U.S. stores by the end of this year. Credit card chips are not as widely used in the U.S. as in Canada.
A cybercrime attack on Target earlier this year affected 70 million accounts including Canadians and hurt the company's sales and reputation.
Hackers may have used malware on the Home Depot system similar to the kind used against Target, according to some reports.
The U.S. Department of Homeland Security has warned many retailers are vulnerable to cybercrime.