NEW YORK — Home Depot said Thursday that a data breach that lasted for months at its stores in the U.S. and Canada affected 56 million debit and credit cards, far more than a pre-Christmas 2013 attack on Target customers.

The size of the theft at Home Depot trails only that of TJX Companies’ heist of 90 million records disclosed in 2007. Target’s breach compromised 40 million credit and debit cards.

Home Depot, the nation’s largest home improvement retailer, said that the malware used in the data breach that took place between April and September has been eliminated.

It said there was no evidence that debit PIN numbers were compromised or that the breach affected stores in Mexico or customers who shopped online at Homedepot.com. It said it has also completed a “major” payment security project that provides enhanced encryption of customers’ payment data in the company’s U.S. stores.

But unlike Target’s breach, which sent the retailer’s sales and profits falling as wary shoppers went elsewhere, customers seem to have stuck with Atlanta-based Home Depot. Still, the breach’s ultimate cost to the company remains unknown. Greg Melich, an analyst at International Strategy & Investment Group LLC, estimates the costs will run in the several hundred million dollars, similar to Target’s breach.

“This is a massive breach, and a lot of people are affected,” said John Kindervag, vice president and principal analyst at Forrester Research. But he added, “Home Depot is very lucky that Target happened because there is this numbness factor.”

Customers appear to be growing used to breaches, following a string of them this past year, including at Michaels, SuperValu and Neiman Marcus.