Brian Krebs said on his website, Krebsonsecurity.com, unnamed sources said the data breach at Target Corp. started on or around Black Friday, the busy post-Thanksgiving shopping day, and may have gone on until Dec. 6 or Dec. 15, the (Minneapolis) Star Tribune reported.
The Wall Street Journal reported the Secret Service was investigating the computer breach.
The Minneapolis newspaper said Target had not responded to requests for comment about Krebs' report, but an American Express Co. spokeswoman in New York said the credit card company was aware of the problem.
"We're working with Target on this," Marina Norville said Wednesday. "It's an investigation right now. We've put fraud controls in place."
Norville said the company "just got wind of this" and hadn't notified its customers because no fraud had been detected on the cards.
Krebs said his sources at two of the Top 10 credit card issuers said the breach involves nearly all Target locations nationwide "and involves the theft of data stored on the magnetic stripe of cards used at the stores," the Star Tribune said.
Having access to the data could allow someone to make counterfeit credit cards. If the hackers obtained the personal identification numbers for the cards, the fake cards could be used to withdraw money from automated cash machines.