Hackers who broke into the retailer's network did so by using login credentials stolen from a heating, ventilation and air conditioning company that does work for Target at a number of locations, security blogger Brian Krebs reported Wednesday.
Krebs, who first reported the Target breach, said sources close to the investigation told him the attackers first gained access to Target's network on Nov. 15, with a user name and password stolen from Fazio Mechanical Services, a Sharpsburg, Pa., company that specializes in providing refrigeration and HVAC systems for large companies like Target.
Target had apparently granted Fazio access rights to its network so it could remotely monitor energy consumption and temperatures at various stores.
Hackers used that access to upload malware programs on the company's point of sale systems, investigators said.
From Nov. 27 to Dec. 15 the attackers used the malware to steal data on millions debit and credit cards. Initial reports indicated 40 million customers were affected; Target later increased the number to 100 million.
Fazio President Ross Fazio confirmed U.S. Secret Service investigators had visited his company regarding the Target breach but offered no other details on its alleged role in the breach, ComputerWorld reported.
Fazio did not immediately respond to a request for comment, ComputerWorld said.