UPDATED: Target Customers Targeted in Massive Data Breach

News
By
published

If you've shopped at a Target store in the past month, your credit and/or debit card may have been exposed in a massive data breach.

Holiday shoppers beware: Hackers have broken into the databases of retail superstore Target and made off with approximately 40 million credit and debit card accounts used in Target's stores between Nov. 27 and Dec. 15, 2013.

Anyone who has used a credit or debit card at a physical Target location within that time should assume that their accounts have been compromised.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

The breach was first reported by security expert and blogger Brian Krebs on Dec. 18, and later confirmed by Target on Dec. 19. One of Krebs' sources said that: "When all is said and done, this one will put its mark up there with some of the largest retail breaches to date."

Target says the stolen account information consists of the customer's name and credit or debit card number, as well as the card's expiration date and CVV (three-digit security code). 

According to Krebs' sources, the stolen account information comes from the so-called "track data" stored on a credit or debit card's magnetic stripe. The CVV stored on a card's magnetic stripe is different than the one printed on the card itself, however. So in this case the thieves wouldn't be able to use a stolen account to make online purchases (which require the printed CVV) but they could use the stolen data to forge new credit cards by encoding the track data on a new magnetic stripe, Krebs speculates.

It's not clear if the breach includes PIN numbers associated with debit cards used at Target, but if so, the thieves could use those as well to make unauthorized cash withdrawals. In October, Adobe admitted that hackers had stolen 150 million account credentials, compromising the emails and passwords of more than 38 million individual users.

In May, open-source content management system Drupal was hacked, and almost 1 million users' email addresses, passwords and other personal information was stolen.

If you believe you have been affected by Target's data breach, contact your credit card company immediately and check for any unfamiliar expenses. You can also obtain a credit report from a nationwide credit reporting agency such as Equifax, Experian or TransUnion, and ask for a "fraud alert" to be applied to your account. This requires creditors to take extra steps to verify your account, making it more difficult for anyone, including you, to obtain credit.

You can also contact Target directly at 866-852-8680 or see Target's official statement for state-by-state recommendations.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

See more Computing News
TOPICS
Jill Scharr

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

More about online security
A hacker typing quickly on a keyboard

Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
and image of the Google Chrome logo on a laptop

Google Docs under attack from info-stealing malware — how to keep your data and your emails safe
Closeup of iPhone 16e main camera.

iPhone 16e pops up on Geekbench — and its far weaker than the iPhone 16
See more latest
13 Comments Comment from the forums
  • Adroid
    No pun intended. I'm a poet and I noet.
    Reply
  • velocityg4
    I wonder if any of these companies run Z/OS. From I've read it's never had a virus or been hacked. Maybe it's time to move from Windows Server and Linux to Big Blue.
    Reply
  • rwinches
    Wow! I'm glad I used cash during that time period.
    Reply
  • JOSHSKORN
    Wow I'm glad I only shopped on Amazon.
    Reply
  • house70
    Inside job.
    Reply
  • jimb3sixty
    This is a great example of how hackers are getting access to everyones account information as well as what they call keylogging. There is a great software available to install on your home and work computers to keep theives from accessing your information. Please check it out at this link and lets save everyone the headache of having to deal with this kind of situation.
    Here is the link, please check it out.
    http://cyberwealth7.com/JandL

    Thanks,
    Jim
    Reply
  • Ninjawithagun
    Time to sue Target with a class action lawsuit for providing inadequate cyber security measures on their customer database. This is an easy win for any law firm with that wants to make some easy money.
    Reply
  • ovly500
    Edward`s report is really great.. Google is paying 75$/hour! Just work for few hours & have more time with friends and family. Last Wednesday I got a top of the range McLaren F1 from bringing in $5012 this month. I never thought I'd be able to do it but my best friend earns over 10k a month doing this and she convinced me to try this Buzz95.ℂom
    Reply
  • Darkk
    Switching one operating system to another isn't going to solve the problem. It's physical access to the database either by network (inside or outside) or somebody at the compromised terminal / PC.

    All these stores are connected via VPN to the data center and from there it gets processed. Somewhere along the lines one of these stores's network got compromised and accessed this data.

    This happened before with Home Depot's WiFi network. Lucky the damage is only limited to that one store.

    This could be very well be an inside job.

    I too am affected by this breach and it's really ticking me off. So hopefully my CC numbers will never get used. Going to order new card anyway.
    Reply
  • Grandmastersexsay
    It doesn't sound like this was an issue of Target's records being hacked, because Target is stating the only people affected are the ones who made purchases over a narrow time frame. If it was a matter of their database being hacked, the criminals would have records going back much furthur. Like most stores, Target keeps card information in case of returns.

    No, this sounds like card data was intercepted from the card swiping machines. Can these swipers have their firmware automatically updated? Do these swipers contact an outside party for authorization? What kind of path does the authorization take? I doubt it is different than most stores. It would be nice to hear from someone in the industry take a guess.


    "So in this case the thieves wouldn't be able to use a stolen account to make online purchases (which require the printed CVV) but they could use the stolen data to forge new credit cards by encoding the track data on a new magnetic stripe, Krebs speculates."

    That makes no sense. If they could make new cards from this data, they would have to match the existing printed data, which means they could make online purchases.
    Reply