Target spokeswoman declined to comment on how data was stolen citing ongoing probe.
Data stolen from about tens of millions of Target customers during a massive breach was stolen from a vendor, Target stores said on Wednesday.
"We can confirm that the ongoing forensic investigation has indicated that the intruder stole a vendor's credentials which were used to access our system," Target spokeswoman Molly Snyder said Wednesday night in an e-mail about the breach that took place between Nov. 27 and Dec. 15.
The Minneapolis-based retailer confirmed on Dec. 15 that the breach had taken place and has also blocked the access and eliminated the malware involved, Snyder said. The breach involved 40 million debit and credit card numbers and personal information for 70 million more people.
CYBER CRIME: Target confirms massive data breach
"In addition, since that time we have taken extra precautions such as limiting or updating access to some of our platforms while the investigation continues," she wrote.
Snyder said she could not say much more because of the ongoing nature of the investigation.
The Secret Service has confirmed it is helping with the data violation, which began around Black Friday, the day after Thanksgiving and busiest shopping day of the year.
Target has almost 1,800 stores in the United States and 124 in Canada, according to its website.
During an appearance before the Senate Judiciary Committee on Wednesday, U.S. attorney general Eric Holder confirmed the Justice Department is investigating the breach and that it is committed to finding the perpetrators of "these sorts of data breaches."
Earlier in January, two Mexican citizens were arrested as they tried to enter the United States in Texas after they were caught with 96 credit cards cloned with account information from the Target breach.
RELATED TO TARGET BREACH?: Questions arise over arrests
Some officials, however, said the arrests were not connected to the Target data theft.
Copyright 2014 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.