NEW YORK (TheStreet) -- Target's (TGT) security data breach that compromised more than 40 million customer credit and debit cards and stole personal information for as much as 70 million customers may have come from a vendor.
"We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system," Target spokeswoman Molly Snyder confirmed to TheStreet in an email on Thursday.
"As we have previously shared, we confirmed the breach on December 15 and were able to eliminate the malware and close the access," Snyder added. "In addition, since that time we have taken extra precautions such as limiting or updating access to some of our platforms while the investigation continues."
The information comes after U.S. Attorney General Eric Holder confirmed in testified comments on Wednesday that the Department of Justice was looking into last month's security breach at the big box retailer.
Target shares are down 10% this year, compared to the S&P 500 which is down 4%.
Target's stock was downgraded to "underperform" from "market perform" by Cowen & Co. on Thursday.TGT data by YCharts
-- Written by Laurie Kulikowski in New York.