Target has confirmed that data from about 40 million credit and debit cards was stolen at its stores between Nov. 27 and Dec. 15.
The statement from the retailer Thursday follows reports that thieves had accessed data stored on the magnetic stripe on the back of credit and debit cards during the Black Friday weekend through card swiping machines that could have been tampered with at the retailer's stores, a practice known as card skimming.
The data could have been used to create counterfeit cards that could even be used to withdraw money at an ATM, according to the reports.
The card information that may have been compromised includes the name of the customer, credit or debit card number, the cards expiration date and the three-digit CVV security code, Target said in a note to customers. Shoppers at its online store Target.com or at physical stores outside the U.S were not affected, it added.
Target said it "is working closely with law enforcement and financial institutions, and has identified and resolved the issue." It also said it was working with an outside forensics firm.
Customers who suspect unauthorized activity should contact the company, Target said.
Security news writer Brian Krebs reported Wednesday that it was first thought that the breach extended from just after Thanksgiving 2013 to Dec. 6. But investigators found evidence that the breach may have lasted up to Dec. 15, which has now been confirmed by Target.
Millions of cardholder accounts may have been vulnerable after the breach that is believed to have affected about 40,000 card machines at store registers, The Wall Street Journal said, quoting people familiar with the situation. Sources at two of the top 10 card issuers told Krebs that the breach had affected nearly all Target locations in the U.S.