Card data for sale at Rescator is sortable by ZIP code (crooks prefer to buy cards in their own neighborhoods because they are less likely to trigger security alerts when used locally). According to Krebs, a comparison of the ZIP code data between the unique ZIPs represented on Rescator's site and those of Home Depot stores show a staggering 99.4% overlap.

The breach, if confirmed, may be much bigger than the Target breach, which involved 1,800 stores. The Home Depot breach may involve 2,200 stores.

Some credit unions are proactively taking steps to inform members about the possible breach and what it might mean.

At the $2.3 billion Affinity Federal Credit Union in Basking Ridge, N.J., a notice was prominently displayed on the credit union's home banking site.

“Affinity is aware of the recent reports of a Home Depot credit and debit card breach. Please be assured that there is no need to take any action regarding your Affinity credit or debit card – you may continue to use your cards. However, if your card is identified as part of the breach, we will contact you by mail regarding the replacement of your card,” the notice said.

“We are not seeing anything directly related to Home Depot yet, but the black market usually takes some time to work it into their system,” Affinity CEO John Fenton said. “We are getting a lot of calls from members who are getting nervous with all these breaches.”

In past breaches, Affinity and other proactive credit unions took steps to monitor which member credit cards might have been involved in a breach, action taken before alerts were received from large credit card issuers. Accordingly, they said actual loss volumes were very low.

At the $60 billion Navy Federal Credit Union in Vienna, Va., SVP, Security Robert Carlisle said the nation's largest credit union is monitoring the situation.

He added that, in incidents such as this, Navy Federal tells its members to check their account information frequently and report suspicious transactions immediately.

Other institutions offered similar advice, with many suggesting that members also review their credit report at least once annually.

At St. Petersburg, Fla.-based CUSO PSCU, Chief Risk Officer Steve Ruwe said, “we have been tracking this situation for a few days.” He cautioned that, thus far, not enough factual information is known to come to firm conclusions.

He pointed out that so far, nobody has disclosed the duration of a breach, if in fact one occurred, or what information was taken.

Ruwe's advice to credit unions is to wait for confirmed info and then decide if card reissue makes the best sense for the institution and its members. Sometimes it won't, he said, indicating that fraud analytics can provide considerable security without incurring the costs of card reissue.

Russ Spitler, a vice president at San Mateo, Calif.-based security firm AlienVault, didn't have any good news. He counseled financial institutions to expect more big retailer breaches.

“Major retail chains are easy targets because they have not invested in cybersecurity,” he said. “Banks are no longer easy targets. They have fortified themselves and even built protections for their consumers, but point-of-sale systems originally designed and built years ago are easy places to grab a foothold.

Hackers are focusing on retailers because that is where the money is, he added. It is the easiest target with the greatest reward.

“We have just seen reports of incredibly sophisticated attacks against major Wall Street banks – customized malware and long campaigns – if that is what it takes to break into a bank, no wonder the bigger breaches are focusing on the less sophisticated targets with just as large an economic potential,” he said.