More than 110 million Target customers had their credit-card information stolen because at least one employee of a heating and air-conditioning contractor succumbed to an email phishing scheme, cybersecurity blogger Brian Krebs reported Wednesday.

The revelation, if true, is the strongest indication yet of what went wrong since Krebs first exposed the massive heist of consumer financial data at the national retail giant late last year, a startling cyberattack that has prompted intense congressional inquiry. Neiman Marcus and other chains have also recently been victimized, though it is not believed that the perpetrators are the same.

Last week, Krebs reported that hackers infiltrated Target’s network by swiping the login credentials of Fazio Mechanical Services, a Pennsylvania-based contractor.