The data breach began around 29 November, known as Black Friday, one of the busiest shopping days of the year.
The attackers are believed to have been scooping up credit card details for almost three weeks.
"We take this matter very seriously and are working with law enforcement to bring those responsible to justice," said Target boss Gregg Steinhafel in a statement.
In addition, he said, the company was working with a data forensics firm to work out how the theft occurred.
Target said the thieves had taken credit card numbers, names, expiration dates and security codes for the cards.
It urged people who shopped at its stores in the vulnerable period to check credit card records and query unusual activity.
"We regret any inconvenience this may cause," said Mr Steinhafel.
Security researcher Brian Krebs, writing about the breach, said sources at credit card payment processing firms had told him the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores.
It is not yet clear how the attackers managed to get their malicious program on to point-of-sale equipment in the stores.
The thieves stole data between Thanksgiving and 15 December, said Target.
The US Secret Service, which has official responsibility for investigating financial fraud, told Reuters it was looking into the breach.
The largest ever credit card breach at a US retailer took place in 2007 when cyber-thieves managed to steal information related to almost 46 million credit and debit cards from TJ Maxx and Marshalls.
The thieves amassed the huge cache of data over an 18 month period after penetrating the retailers' computer network.
Comments from the original article:
Interestingly enough, I work for a credit card processing company. I also happened to shop at Target over the course of Black Friday. My thoughts, as we move into a world where electronic payment methods are becoming more widely used, we must take a step back and evaluate why they are so convenient in the fist place. This convenience is obviously coming at a cost, and that cost is our privacy. This goes into the broader discussion of how the web has been used and is currently used to illicit intimate details of individuals. Getting back to the matter at hand, Target should have definitely invested more money in its security infrastructure, but at what point is security considered to be adequate? Will the 'hackers' always be one step ahead? Time can only tell, but my guess, this is an ongoing threat that will never truly be resolved completely. Omar Khalid, Astoria
bbc.co.uk 19 Dec 2013