Target has said that data from about 40 million credit and debit card accounts could have been stolen during the Thanksgiving weekend, confirming media reports that said federal authorities were investigating a suspected data breach at America's second-largest discount retailer.
Target said on 19 December that "it is aware" of the data theft and that it has "identified and resolved the issue".
Purchases made at Target's US stores between 27 November and 15 December "may have been impacted", according to a Target statement.
The company said customers who suspected unauthorised card-activity should contact it at: 866-852-8680.
Gregg Steinhafel, chairman, president and chief executive, Target, said: "Target's first priority is preserving the trust of our guests and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause. We take this matter very seriously and are working with law enforcement to bring those responsible to justice."
Earlier, pursued by Reuters, American Express said it was aware of the incident and that it was putting fraud controls in place.
Visa and MasterCard refused to comment.
The US Secret Service confirmed it is investigating the matter.
The data was extracted through software installed on machines that customers use to swipe their cards when paying for goods, an unnamed source told the news agency.
Earlier, Krebs on Security, a closely tracked security industry blog that broke the news, said there were no signs the breach had affected shoppers on Target's website.
Target has 1,797 stores in the US and 124 in Canada. The company's stock finished 3.08% higher in New York on 18 December and has gained 7.4% so far this year.
Data breaches have hit other retailers in the past.
TJX, which operates the TJ Maxx and HomeGoods stores, said in 2007 that hackers broke into its computers and stole some 45.7 million credit and debit-card numbers.