“The ongoing forensic investigation has indicated that the intruder stole a vendor’s credentials, which were used to access our system,” a Target spokeswoman told Reuters in a statement.
Though Target isn’t identifying the vendor or the form of the credentials that were used, cybersecurity expert Brian Krebs has revealed some details that might shed some light on what happened.
Krebs reports that an analysis of the malware used in the breach shows that the user account “Best1_user” and password “BackupU$r” were used to log in to a shared drive that had been set up by the hackers on Target’s internal network to collect all the stolen card information.
“That ‘Best1_user’ account name seems an odd one for the attackers to have picked at random, but there is a better explanation,” writes Krebs. “That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called ‘Best1_user.’”