Hackers Claim to Sell Target’s Internal Source Code After Leaking Samples An unknown threat actor has allegedly breached Target Corporation’s internal development environment, claiming to possess and sell a massive trove of the retailer’s private source code. Last week, the hackers published sample repositories on Gitea a self-hosted Git platform containing portions of Target’s code and developer documentation as proof of the breach. The leaked samples included repositories with names like wallet-services-wallet-pentest-collections, TargetIDM-TAPProvisioingAPI, and Secrets-docs, along with commit metadata referencing internal Target servers and current senior engineers. A SALE.MD file in each repository advertised a full dataset of approximately 860 GB, listing over 57,000 files and directories. After BleepingComputer contacted Target about the alleged breach, the Gitea repositories were taken down, and the company’s Git server (git.target.com) became inaccessible from the internet. Previously, the subdomain had redirected to a login page for employees, but as of last weekend, it no longer loads externally. While some cached pages from git.target.com appeared in search engine results, it remains unclear whether this indicates prior exposure or misconfiguration. Though BleepingComputer has not independently verified the full dataset, the leaked material including internal API references and employee details suggests an origin from Target’s private development infrastructure rather than its public GitHub projects. Target has not provided further comment following initial inquiries. The incident follows Target’s most significant prior breach in 2013, when attackers stole payment card data and personal information from up to 110 million customers. The current claims, if confirmed, would mark another major security lapse for the retailer.

Facial Recognition Risks: The Permanent Threat of Stolen Biometric Data A growing number of organizations retailers, banks, airports, stadiums, and office buildings are deploying facial recognition systems to monitor and identify individuals. Unlike passwords or credit cards, which can be reset or canceled, a person’s face is a permanent biometric identifier. Once captured and converted into a mathematical template, it becomes a lifelong digital key that, if stolen, cannot be revoked. Facial recognition systems don’t store actual images but instead create unique templates mapping facial features. While these templates are more secure than raw photos, they remain vulnerable to theft. A breach could expose individuals to persistent risks, as stolen templates can be matched against surveillance footage or online images to track movements, verify identities, or even bypass security systems. Real-world breaches have already occurred. In 2024, a facial recognition system used in Australian bars and clubs was hacked. In 2019, U.S. Customs and Border Protection’s biometric data was compromised in a subcontractor breach. While it’s unclear whether stolen biometric data has been exploited, the potential for misuse is significant. Unlike fingerprints or iris scans, which require deliberate interaction, facial recognition can capture individuals without their knowledge or consent. Public cameras can scan faces from a distance, creating persistent digital records. If a database is breached, stolen facial templates can be cross-referenced with other data sources, enabling tracking or impersonation. Some organizations, like Madison Square Garden, have used facial recognition to restrict access to specific individuals. Retailers such as Wegmans and Target employ it for theft prevention, adding more records to centralized databases. Many companies lack cybersecurity expertise and rely on third-party vendors, increasing the risk of breaches or unauthorized data linking. A stolen facial template can act as a "primary key," connecting disparate datasets such as email addresses, financial records, or social media profiles to create a comprehensive identity profile. Combined with AI tools like deepfakes, criminals could impersonate individuals in systems requiring live facial verification, making identity theft harder to detect and reverse. While organizations can mitigate risks by encrypting templates, minimizing data retention, and implementing liveness detection, the convenience of facial recognition often comes at the cost of permanent privacy and security vulnerabilities. In regions with privacy laws, individuals may request access to or deletion of their biometric data, but widespread adoption continues to outpace safeguards.

Facial Recognition Data Breaches Pose Permanent Identity Risks Facial recognition technology is increasingly embedded in daily life scanning shoppers in grocery stores, travelers at airports, and attendees at stadiums often without their knowledge. Unlike passwords or credit cards, biometric data, such as facial templates, cannot be reset if compromised, creating a lifelong vulnerability. These systems convert faces into mathematical templates that map unique features, making them more secure than raw images but still susceptible to theft. Once stolen, a facial template can unlock access to bank accounts, secure facilities, or other systems, with no way to revoke or replace it. Real-world breaches have already occurred: in 2024, a facial recognition database used by Australian bars and clubs was hacked, and in 2019, U.S. Customs and Border Protection’s biometric data was exposed via a subcontractor breach. Unlike fingerprints or iris scans, which require physical interaction, facial recognition can capture individuals from a distance in public spaces, enabling passive tracking. Stolen templates can be matched against surveillance footage or online photos, allowing criminals to monitor movements or impersonate victims. When combined with other leaked data such as email addresses or financial records these templates can create "super-profiles," linking a person’s identity across multiple platforms. Organizations often rely on third-party vendors to manage biometric data, increasing the risk of centralized breaches. Some retailers, like Wegmans and Target, use facial recognition for theft prevention, while venues like Madison Square Garden have employed it to block entry to specific individuals. Unlike device-level biometrics (e.g., phone unlocking), which are stored locally, cloud-based systems remain vulnerable to large-scale attacks. The permanence of facial data makes identity theft particularly damaging. AI tools, such as deepfakes, could further exploit stolen templates, enabling fraudsters to bypass liveness detection systems. While some regions, like the EU and parts of the U.S., offer legal protections such as the right to request data deletion many organizations lack robust safeguards, leaving individuals exposed to long-term risks.

In December 2013, Target fell victim to one of the largest retail cyber attacks in history. The attack exposed payment card information of 41 million customers and contact details for an additional 29 million. Utilizing a spear phishing technique, attackers initially compromised a third-party vendor's credentials, providing them with access to Target's network. Subsequently, malware was installed to collect customer payment data across a two-month period. This breach not only led to significant financial losses amounting to approximately $290 million but also resulted in the departure of Target's CEO and country-wide fines totaling $18.5 million. Remediation efforts, consulting, and various associated expenses substantially increased the cost of this breach.

The California Office of the Attorney General reported a data breach involving Target Corporation on December 20, 2013. The breach occurred between November 27 and December 15, 2013, resulting from unauthorized access to payment card data. Compromised information included customer names, credit or debit card numbers, expiration dates, and CVVs. The number of individuals affected is unknown.

In 2013, Target suffered one of the most infamous third-party breaches in retail history when cybercriminals infiltrated its systems via a compromised HVAC vendor (Fazio Mechanical Services). The attackers exploited weak credentials from the vendor’s network to access Target’s payment systems, stealing 40 million credit/debit card records and 70 million customer details (names, addresses, phone numbers, and email addresses). The breach resulted in $200+ million in direct costs, including legal settlements, regulatory fines, and credit monitoring for affected customers. Beyond financial losses, Target faced severe reputational damage, a plummet in consumer trust, and a 46% drop in profits during the post-breach quarter. The incident also triggered industry-wide scrutiny of third-party risk management, prompting stricter compliance mandates like PCI DSS updates and accelerated adoption of vendor security audits. The breach exposed systemic vulnerabilities in supply chain cybersecurity, proving that even robust internal defenses could be bypassed through negligent third-party partners.