Target confirms up to 40 million credit and debit cards are at risk following Black Friday hack (update)

One of America's biggest retailers may have fallen to hackers


Retailers are an appealing target for hackers during the holidays, and Target may be learning that lesson the hard way. According to Krebs on Security, the US retail giant is investigating a major breach that could potentially involve "millions" of customer credit and debit card records. The sophisticated hack reportedly took place over several weeks — starting on Black Friday and possibly extending all the way through December 15th — and is said to involve "nearly all" Target stores in the United States.

Krebs says the breach "involves the theft of data stored on the magnetic stripe of cards used at the stores." Online orders are said to be unaffected. Still, it sounds like a worst case scenario for Target and its shoppers, with Krebs writing:

The type of data stolen — also known as "track data" — allows crooks to create counterfeit cards by encoding the information onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data for debit transactions, they would theoretically be able to reproduce stolen debit cards and use them to withdraw cash from ATMs.

Thus far Target has offered no comment on the rumored breach, nor any direct confirmation of a hack. An anti-fraud analyst at a "top-ten US bank card issuer" made the situation sound dire, telling Krebs, "We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized." We have reached out to the company for more details.

Update: The Wall Street Journal is now independently reporting the breach, with details that match Krebs' initial story. A spokesperson for the US Secret Service has confirmed to the Associated Press that it is in fact investigating the incident.

Update 2: Target has now confirmed the data breach. Up to 40 million card accounts may have been affected between November 27th and December 15th. In a press release, the company says it "alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts."

More from The Verge

Back to top ^
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.