Target said the thieves took credit card numbers, names, postal addresses, phone numbers and email addresses.
The data breach began on or around 29 November, known as Black Friday, one of the busiest shopping days of the year.
The company said customers would have “zero liability” for any fraud losses.
But this hasn’t stopped some customers suing Target, claiming that Target failed to notify them of the breach before it was first reported and did not “maintain reasonable security procedures” to prevent the attack.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” said Gregg Steinhafel, Target’s chairman, president and chief executive officer.
Target is offering one year of free credit monitoring and identity theft protection to all its US customers.
Security researcher Brian Krebs, writing about the breach in December, said sources at credit card payment processing firms had told him the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores.
The thieves stole data between Thanksgiving and 15 December, said Target. This data is often sold on to criminals via underground marketplaces.
The largest ever credit card breach at a US retailer took place in 2007 when cyber-thieves managed to steal information related to almost 46 million credit and debit cards from TJ Maxx and Marshalls.
The thieves amassed the huge cache of data over an 18-month period after penetrating the retailers’ computer network.