Target confirmed that up to 40 million customers’ credit and debit cards could be affected by a massive security breach after thieves gained access to private card information used at its stores.

Target confirmed early Thursday that its security systems were breached from the day before Thanksgiving through Dec. 15. Stolen card information includes the customer’s name, card number, expiration date and three-digit security code, Target said.

“We’ve no indication that PIN numbers were exposed,” said Target spokesman Eric Hausman.

The breach affected all cards, including Target store brand cards and major card brands such as Visa and MasterCard.

The Minneapolis retailer said it is “working closely with law enforcement and financial institutions and has identified and resolved the issue.”

Target urged customers to monitor their bank and card statements for any suspicious activity and to report it immediately to the card issuer.

In the meantime, the company sounded the all-clear for Christmas shoppers. In a Q&A, Target said customers can still use their cards, the security issue “has been resolved” and customers can “shop with confidence.”

Reaction on social media, however, suggests that some shoppers want more answers and faulted Target for being slow to warn its customers.

On Thursday, scores of anxious shoppers complained that Target’s customer-service lines were overwhelmed, and that they couldn’t log into their Target REDcard accounts.

“We are unable to call customer service or log-in to our accounts,” Brittany Havenner wrote on Target’s Facebook page. “How are we supposed to know if our card has been used? PLEASE ADVISE.”

Target CEO Gregg Steinhafel said in a statement Thursday: “Target’s first priority is preserving the trust of our guests, and we have moved swiftly to address this issue so guests can shop with confidence. We regret any inconvenience this may cause.”

He added, “We take this matter very seriously and are working with law enforcement to bring those responsible to justice.”

Target said it is working with a third-party forensics firm to conduct a thorough investigation of the incident.

U.S. Secret Service spokesman Brian Leary confirmed Wednesday the agency was investigating, but he declined to comment further.

Target said Thursday that credit and debit cards can still be used but did urge customers to monitor their accounts.

“If you shopped at Target between Nov. 27 and Dec. 15, you should check your account for any suspicious or unusual activity,” Target wrote. “If you see something that appears fraudulent, REDcard holders should contact Target (866-852-8680), others should contact their banks.”

More than 20 percent of Target shoppers pay with Target’s REDcard, which gives a 5 percent discount.

But unlike at most retailers, about half of the REDcard customers prefer to use a debit card, not a credit card. Debit cards link directly to a customer’s checking account.

Security experts advise Target customers to scan their accounts for unauthorized transactions and change the personal identification numbers to their debit accounts.

News reports on Wednesday said the theft involved the magnetic strip “track data,” which contain private information and could allow thieves to create counterfeit cards.

American Express spokeswoman Marina Norville confirmed that the credit card company was aware of the reported incident.

Norville said American Express was “working with Target, but it’s an ongoing investigation, so there’s not a lot to say at this point.”

The Wall Street Journal reported Wednesday that the breach “happened in stores, not online, and may have involved tampering with the machines that customers use to swipe their cards when making purchases.”

The first reports came from Brian Krebs, a former Washington Post reporter who now writes the blog Krebs On Security. Reached by phone Wednesday night, Krebs said he first began hearing whispers about a Target breach a couple of days ago.

He emphasized that he has no way of knowing whether any of the supposedly compromised card data has been used for fraudulent transactions.

Before it can be used, Krebs said, such data must first be sold to black market vendors. And this can be difficult.

“There is so much of this kind of stolen data out there that the prices are really low,” he said. “The market is completely saturated.”

If the thieves do find a buyer for any stolen Target data, it could be months before it is used in any fraud — if ever.

“Presuming this is all true, it’s probably one of the most serious things you can have happen, because it affects not only your store operations, it affects the lives and financial security of your customers,” said Jim McComb, a Twin Cities retail analyst.

Two years ago, McComb was involved in a similar security breach with a different retailer. In that case, McComb said, the cards had to be canceled “and the consumer has to get a new card. In many cases, companies provide credit monitoring for the cardholder.”

Norville, the American Express spokeswoman, said customers “are not liable for any sort of credit card fraud.” But she urged shoppers to keep track of their charges and alert American Express of anything suspicious.

Asked whether its fraud systems had detected unusual activity involving Target, Norville replied, “We’ve just started running diagnostics, so it’s too soon to tell.”

Visa issued a statement Thursday saying that when a security breach is found, it works with the parties involved “so they can take steps to protect consumers through fraud monitoring and, if needed, reissuing cards.”

But, Visa added, “Because of advanced fraud-monitoring capabilities, the incidence of fraud involving compromised accounts is actually rare, and Visa fraud rates remain near historic lows.”

Julio Ojeda-Zapata and the Associated Press contributed to this report.

Tom Webb can be reached at 651-228-5428. Follow him at twitter.com/TomWebbMN;

Nick Woltman can be reached at 651-228-5189. Follow him at twitter.com/nickwoltman.