The hackers who stole the credit or debit card details of 40 million Target customers, in the second-largest breach of its kind in US history, may have also obtained encrypted pin numbers.
A "senior payments executive" familiar with the situation told Reuters the situation is worse than previously thought, with one major U.S. bank concerned the encryption could be cracked.
With the card owners' full names, addresses and card numbers already exposed, cracking the pin numbers could have serious repercussions for affected Target customers.
Fraudulent withdrawals from customer accounts are now feared according to the source, who spoke on the condition of anonymity.
Target, which is still in the process of investigating the theft, insists there is "no reason to believe" pin numbers were obtained.
Spokesperson Molly Snyder said: "We continue to have no reason to believe that PIN data, whether encrypted or unencrypted, was compromised. And we have not been made aware of any such issue in communications with financial institutions to date. We are very early in an ongoing forensic and criminal investigation."
Since the theft, the card details have become available on the black market for $50 a pop.