After nearly a week of only saying it was investigating reports of a massive data breach, Home Depot has confirmed that its in-store payment systems were indeed compromised by hackers.

In a statement, the retailer didn’t give an estimate of how many customers were affected, but said that shoppers who paid with their cards at Home Depot stores in the U.S. or Canada could have had their data compromised.

One slight sliver of good news for customers who shopped using their debit cards — Home Depot says that it believes that debit card PINs were not stolen.

However, considering how many debit cards can be used with solely the card number and other information from the magnetic stripe, all this really prevents are cash withdrawals from ATMs and retailers that offer cash-back to debit customers.

Home Depot is also not specifying what information was stolen by the hackers, though cards that have gone up for sale on an online black market appear to contain much of the relevant data you would need to create a fake card.

The company also didn’t put a precise timeline on the breach, but says its investigation goes back as far as April of this year. Considering that Home Depot operates more than 2,000 stores in the U.S. and that the spring and summer seasons are usually high-traffic times for home improvement stores, this breach will likely be significantly larger than the massive one that hit Target at the end of 2013.

For anyone that used their cards from April 2014 on, Home Depot is offering free identity protection services, including credit monitoring.

If you fall into that category, you can call 1-800-HOMEDEPOT (800-466-3337) or sign up online at https://homedepot.allclearid.com.

“We apologize for the frustration and anxiety this causes our customers, and I want to thank them for their patience and support as we work through this issue,” said Frank Blake, chairman and CEO of Home Depot, in a statement. “We owe it to our customers to alert them that we now have enough evidence to confirm that a breach has indeed occurred. It’s important to emphasize that no customers will be responsible for fraudulent charges to their accounts.”

￼