Home Depot Inc. confirmed Monday that its credit and debit card systems were breached at its U.S. and Canadian stores in a security breach that may have stretched back to April.

The acknowledgment is the result of an investigation began by the home improvement company after it first learned about what it called unusual activity last Tuesday. Since then, it has been working with law enforcement and banks, as well as with computer security firms Symantec Corp. and Fishnet Security, to investigate.

The data breach at Home Depot--which may have begun during the company's key spring selling season--is the latest in a series of data security attacks on retailers, restaurants and other companies including Target Corp., Neiman Marcus Group Ltd. and P.F. Chang's China Bistro.

The software used in the attack appeared to be a reworked version of the malware used against Target, a person familiar with parts of the investigation said. That doesn't necessarily mean the attack was the work of the same hackers. The card stealing code, known as Black POS, has been widely sold on underground hacking forums since being crafted by a Russian teenager in 2012, cybercrime experts have said.

In this case it appears someone, sometimes coding in Russian, made his or her own changes, the person said. This included stylistic flourishes including links to a Wikipedia article on a list of wars involving the U.S. and the website for a book titled, "America's Deadliest Export: Democracy."

Home Depot has assured customers that they won't be responsible for any fraudulent charges on their credit or debit cards and has promised to offer free identity-protection services, including credit monitoring, to any affected customers.

Write to Shelly Banjo at shelly.banjo@wsj.com

Subscribe to WSJ: http://online.wsj.com?mod=djnwires