It's not clear how many stores or shoppers could be involved, but analysts say it could be larger than the data breach that affected 40 million Target shoppers last year.
In a statement, Home Depot spokeswoman Paula Drake said "protecting our customers' information is something we take extremely seriously."
"It's like that old saying, 'Why do you rob a bank? It's where the money is,'" said CBS News financial analyst Mellody Hobson. "Cyber thieves know they're the new organized crime. There's a lot of money to be made online because 60 percent of us are banking online. Most of us are shopping online. So when they get these numbers, they can sell them."
Hobson says the thieves made an estimated $50 million from this breach, and that other retailers should act before another breach occurs.
"Target was the wake up call," she said. "They knew that lost nearly $2 billion from the market cap. Their profits plummeted. The CEO lost his job. So now retailers are saying we have to get on top of this and play offense. On top of that, credit card companies have said, if the new card reader technology hasn't been adopted by October 2015, if there's fraud, the retailer is responsible."
Chip and Pin technology has been implemented in stores in Europe and is now coming to the U.S. The transaction method contains a chip in your credit card with account info, requires a pin for identification, and according to Hobson, is nearly impossible to counterfeit.
"Everyone's trying to get in front of this new card reader, which has duel verification, which makes the transaction much much safer for retailer and customer," Hobson said.
The technology will be in use by most retailers within the next 18-48 months -- Walmart already employs the technology -- but Hobson says the change will come with a hefty price tag.
"The costs are huge," Hobson said. "An expected $8 billion to change all these systems around the country, but I don't know how they could pass it on."
Copyright 2016 Nexstar Broadcasting, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.