That proved the case in December when Mr. Krebs uncovered what could be the biggest known Internet credit-card heist. That month, he had been poking around private, underground forums where criminals were bragging about a fresh haul of credit and debit cards.

Soon after, one of Mr. Krebs’s banking sources called to report a high number of fraudulent purchases and asked whether Mr. Krebs could pinpoint where they were coming from. The source said that he had bought a large batch of stolen cards from an underground site and that they all appeared to have been used at Target.

Mr. Krebs checked with a source at a second bank that had also been dealing with a spike in fraud. Together, they visited one forum and bought a batch of stolen cards. Again, the cards appeared to have one thing in common: They had been used at Target from late November to mid-December.

On the morning of Dec. 18, Mr. Krebs called Target. The company’s spokeswoman did not return his call until several hours later, but by then he had enough to run his article: Criminals had breached the registers in Target’s stores and had made off with tens of millions of payment card numbers.

In the following weeks, Mr. Krebs discovered breaches at Neiman Marcus; Michaels, the arts and crafts retailer; and White Lodging, which manages franchises for major hotel chains like Hilton, Marriott and Starwood Hotels.

It is still unclear whether the attacks were related, but at least 10 other retailers may have been hit by the same hackers that hit Target and are reluctant to acknowledge it.

The scale of this crime is ridiculous. One of the biggest in history.