Attackers involved in the Target breach, which led to the theft of 40 million debit and credit card details late last year, broke into the retailer’s network via a heating and air-conditioning contractor, according to a new report. The still-unknown Target credit card breach attackers used network credentials stolen from Fazio Mechanical Services, based in Sharpsburg Pennsylvania, according to sources quoted by security writer Brian Krebs of Krebs on Security.

Quoting unnamed sources close to the investigation, Krebs claimed that attachers broke into Target’s network on November 15, using credentials stolen from Fazio. Speaking to Krebs, sources at Fazio admitted that they had been visited by the U.S. secret service, but declined to answer further questions about the attack. Target spokeswoman Molly Snyder said that the company had no more information regarding the attack.

According to Krebs’ report, the Target credit card breach attackers penetrated Fazio’s systems, and was able to steal login information - possibly due to the contractor having network access to remotely monitor and patch heating equipment, according to an unnamed retail security expert quoted by Krebs.

A myth-busting post by ESET security researcher Lysa Myers can be found here, analyzing some of the facts (and non-facts) about the Target credit card breach,  which affected 40 million shoppers at the retailer last Christmas, after unknown attackers pushed malware into the store’s point-of-sale terminals after gaining access to the store's network.

VentureBeat’s report points out that Fazio also contracted for other large chains such as Trader Joe’s, Whole Foods and Giant Eagle.

Last week, the Wall Street Journal reported that the attackers broke in via an unnamed third-party contractor.  Writing for the Wall Street Journal’s Digits blog this week, Danny Yadron and Paul Ziobro commented, “It’s another reminder of the risks large corporations face as they operate large and interconnected networks. The heating guy, in theory, has nothing to do with the millions of payments Target accepts every day.”

“But picking off a low-level victim is a common tactic among hackers. After getting a username and password, hackers move through a network until they find a company’s crown jewels – in this case credit and debit card numbers.”

ESET’s Lysa Myers offers tips for shoppers who fear they may have been affected by the Target credit card breach in a We Live Security blog post from earlier this year, pointing out that other retailers may also be at risk. Myers writes, “If you used your credit or debit card at any retailer in November and December of last year you need to check your accounts right away.check your statements for fraudulent transactions. Criminals are likely to hang on to data and use it after attention has died off, so this is something you should continue to do for the foreseeable future.”