The hackers that broke into Target's network and lifted millions of payment card numbers used a local cooling and heating company's credentials to pull off the heist.
One the US's biggest breaches has been traced back to a supplier of refrigeration and air-conditioning equipment and services for retailers.
According to security reporter Brian Krebs, people involved in the Target investigation claim that before hacking into Target's network — which allowed them to install malware on the retailer's point of sale machines —they hacked one of Target's suppliers, a Pennsylvania-based company.
Target has declined to confirm the details in the report. "Because this is a very active and ongoing investigation, I don't have any additional details at this time," a Target spokesperson told ZDNet.
Last week, Target told reporters that its forensic investigation indicated the hackers gained access to its system via "a vendor's credentials" without clarifying the specific supplier or system.
An unnamed security expert told Krebs that one reason a refrigeration supplier would have remote access credentials to Target's network is that they often also supply temperature and energy monitoring services to ensure stores stay within an acceptable range. While the monitoring system itself sits within Target's network, vendors that support them often require remote access to fix bugs or apply patches to the systems.
The report also sheds more light on when the hackers first installed the POS and how they moved the credit card details out.
Investigators told Krebs the hackers initially installed their card stealing malware to a small number of Target's cash registers between November 15 and 28. (That's a few weeks before the breach was initially thought to have begun, and nearly a month after Target confirmed it had happened.)
That two week period allowed testing to occur ahead of the full scale rollout to the the majority of Target's POS devices, which was complete by the end of November.
While the hackers are suspected to be located in Eastern Europe or Russia, they also used drop servers in the US and Brazil from where they picked up the stolen data.
Security company Mandiant issued a report late last year noting an increase since 2012 in the number of breaches at outsourcers and managed service providers, exploiting their privileges to gain access to a primary target.
ZDNet has asked Target for comment on the story, and will update the article if it receives one.