Target Corp., the second-largest U.S. discount retailer, said the theft of credit- and debit-card data last month that affected tens of millions of customers may have occurred through the use of a vendor's credentials.

"We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system," Molly Snyder, a Target spokeswoman, said today in an e-mail.

The Minneapolis-based company said in December that data from 40 million accounts were compromised during the holiday shopping season. Earlier this month, it said the breach affected more people and more information than previously thought, including personal data for as many as 70 million people collected over several years. Target said the breach hurt holiday sales and cut its fourth-quarter forecast for U.S. operations.

Snyder, citing the investigation, said she had no additional details to share.

The suspected use of a vendor's credentials was reported earlier today by the Wall Street Journal.

The Target hacking case was followed on Jan. 10 when Neiman Marcus Group Ltd. said customer credit cards may have been part of a security breach. The retailer later said about 1.1 million cards may have been affected.

Michaels Stores Inc., the world’s largest arts-and-crafts retailer, said on Jan. 26 that some of its customer payment-card data may have been used fraudulently, making it the third U.S. retailer to report such a breach since December.