Credential-Stuffing Account Fraud on Home Depot Pro Xtra
Attackers use leaked email-and-password combinations to access Home Depot Pro Xtra accounts, draining reward balances, placing orders with stored payment methods, or redirecting professional contractor spending accounts.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
Home Depot's Pro Xtra programme serves professional contractors and tradespeople who spend heavily and accumulate significant reward dollar balances. A single compromised Pro Xtra account may hold hundreds of dollars in reward credits and have a high-limit store credit account linked, making it a valuable credential-stuffing target.
Pro users are also more likely to have stored high-value payment methods, business addresses, and recurring order patterns in their accounts. An attacker who successfully logs in can exploit these stored details to place large orders for materials, redirect contractor account credits, or harvest business identity information.
Password reuse — the root cause of credential-stuffing fraud — is common among tradespeople who prioritise efficiency over security hygiene and may use the same email-password combination across multiple supplier and trade accounts.
How this scam works on the Home Depot brand
A credential-stuffing tool tests the victim's email-password pair against Home Depot's login page. On success, the attacker examines the Pro Xtra account for reward dollar balance, linked payment cards, and pending orders. They immediately redeem the reward balance for digital gift cards or high-value materials orders.
If the account has a Home Depot Commercial Revolving Charge or Pro Xtra credit line, the attacker places large orders — lumber, power tools, appliances — for delivery to a mule address. Some attackers change the notification email first to suppress alerts.
For smaller accounts, the attacker may harvest the billing address and payment card details stored in the account for use in other fraud rather than making large purchases that might trigger fraud detection.
Common red flags
- A Home Depot login alert arrives from an unfamiliar device or location
- Your Pro Xtra reward dollar balance has decreased without a corresponding redemption you made
- Your account shows orders for items you did not place, often to an unfamiliar delivery address
- Your account email address, saved delivery address, or credit limit has been changed without your action
- A Home Depot Commercial Credit confirmation arrives that you did not apply for
- You cannot log in to homedepot.com despite using what you believe is the correct password
How to protect yourself
- Use a unique, strong password for your Home Depot Pro Xtra account not shared with any other service
- Enable two-factor verification on your Home Depot account in Account Settings
- Review your Pro Xtra reward balance and order history regularly at homedepot.com
- Check haveibeenpwned.com for your email address and update all reused passwords across supplier accounts
- Place a credit freeze to prevent fraudulent commercial credit applications in your name
- Contact Home Depot Pro Xtra customer service at 1-800-466-3337 immediately if you notice any unrecognised account changes
How to report it
- Report account fraud to Home Depot at 1-800-466-3337 or via the Help section at homedepot.com
- Report to the FTC at reportfraud.ftc.gov
- If a fraudulent credit account was opened, contact the credit issuer and the FTC at identitytheft.gov
- File a report with the FBI at ic3.gov if significant financial loss resulted
Frequently asked questions
Why are Pro Xtra accounts a higher-value target than regular consumer accounts?
Pro Xtra accounts tend to have larger reward balances, higher-limit credit accounts, and larger purchase history, making them more rewarding to compromise than a standard consumer account with a modest balance.
Can Home Depot reverse fraudulent Pro Xtra reward redemptions?
Home Depot's fraud team can investigate reported cases. Prompt reporting improves the chance of recovery. Contact their Pro Xtra customer service line immediately if you spot unrecognised redemptions.
I use the same password across multiple trade supplier accounts. Is that a problem?
Yes. Password reuse is the single biggest enabler of credential-stuffing fraud. A breach at any one supplier can expose access to all others. Use a password manager to maintain unique credentials for each account.