Target has shared some details about the massive hack that let hackers grab financial records on up to 110 million customers. But it hasn't really explained how the thieves were able to install the malware in the first place.
"As this is an ongoing investigation, we don't have information to share at this time," a Target spokesperson told us when we asked.
Now Brian Krebs, the security blogger that broke the story, has a theory, detailed in a blog post, based on info confirmed by Target, other news reports and his own sources.
What we know is that hackers installed malware on the devices used to scan your credit cards, called Point-of-Sale (POS) systems. Target CEO's confirmed this in an interview with CNBC.
The malware involved something called "memory-scraping,"Reuters reported. That means that the moment you swipe your card the malware grabbed your credit card info.
This POS malware seems to be a known variety, spotted as early as June, 2013, Krebs says. It looks like something called BlackPOS that sells on hacker forums for $1,800-$2,300.
Hackers can sell the credit card numbers for $35 - $100 each. Gold or platinum credit cards go for $60 each, business credit cards $80 and some platinum cards, $100, Cisco security researcher Levi Gundert wrote this week in a blog post. That's a stunning potential payback on a $2,300 piece of software.
Krebs sources say that hackers broke into Target's network through a Web server and planted the malware onto the devices from the network.
Then they allegedly used one of Target's own computers to store the stolen credit card numbers and accessed this computer remotely to collect the numbers.
If that's true, it means that hackers didn't just break in once. It means they hopped onto Target's network whenever they pleased.
If Target's POS systems had used encryption, the hackers wouldn't have been able to get the credit card numbers even if they successfully installed malware, Gundert says.
And now for the irony: The BlackOS malware includes encryption. The thieves could protect the stolen credit card numbers with the exact tech that would have prevented them from getting the numbers in the first place.