Credential-Stuffing Account Fraud on Target Circle
Automated tools use leaked email-and-password pairs to access Target Circle accounts, allowing attackers to redeem earnings for gift cards, place online orders with saved payment methods, or harvest stored personal data.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
Target Circle is the retailer's loyalty programme, offering members a percentage back on purchases and personalised deals. Accumulated Circle earnings can be redeemed for discounts on future Target purchases, and Circle accounts often store saved payment methods and a delivery address — making a compromised account worth more than just the outstanding loyalty balance.
Target's broad consumer base means that a large proportion of credential-stuffing targets are everyday shoppers whose Circle accounts are linked to debit cards and home addresses. Attackers who successfully log in can redeem Circle earnings for gift cards (which are resaleable), place orders for electronics or gift cards shipped to mule addresses, or harvest stored card numbers for use elsewhere.
Target Circle accounts are created using the same email-password combination many users employ across dozens of services, making password reuse the primary vulnerability.
How this scam works on the Target brand
After a successful credential-stuffing login, the attacker quickly redeems any available Circle earnings balance for Target gift cards, which they purchase digitally. Digital gift cards are immediately usable and saleable, making them the fastest route to monetising a compromised balance.
If the account has a saved payment method, the attacker may add a new shipping address and place an order for high-value, easily resaleable items — electronics, gift cards, or luxury personal care products — before logging out.
Some attackers change the account's recovery email to prevent the legitimate owner from receiving login alerts or reclaiming the account quickly. They may also attempt to apply for a Target RedCard in the victim's name using the profile data already stored.
Common red flags
- A Target Circle login alert arrives from an unfamiliar device or location
- Your Circle earnings balance has decreased without a redemption you made
- Your Target account shows orders for items you did not place, often to an unfamiliar address
- Your account email address or delivery address has been changed without your action
- A Target RedCard application confirmation arrives that you did not submit
- You cannot log in to Target.com despite using what you believe is the correct password
How to protect yourself
- Use a unique, strong password for your Target Circle account — not shared with any other service
- Enable two-factor authentication on Target.com under Account and Security settings
- Review your Circle earnings balance and recent order history regularly
- Check haveibeenpwned.com for your email address and update any reused passwords
- Place a credit freeze to prevent a fraudulent Target RedCard application being processed
- If you spot unauthorised orders, contact Target immediately at 1-800-440-0680 to cancel and report fraud
How to report it
- Report account fraud to Target at 1-800-440-0680 or via Target.com/help
- Report to the FTC at reportfraud.ftc.gov
- If a fraudulent RedCard was applied for, contact TD Bank (Target's card partner) and the FTC's identitytheft.gov
- Contact your bank or card issuer if any fraudulent charges were made using your saved payment method
Frequently asked questions
What can an attacker do with my Target Circle account?
Redeem Circle earnings for digital gift cards, place orders with your saved payment method, change your delivery address, and potentially apply for a Target RedCard in your name. All of this can happen quickly after a successful login.
Can Target reverse fraudulent Circle earnings redemptions?
Target's fraud team can investigate and may reverse fraudulent redemptions if reported promptly. Contact Target customer service immediately after noticing any unrecognised activity.
Does Target have two-factor authentication?
Target.com offers two-step verification. Enabling it means a successful credential-stuffing login still requires a code sent to your phone or email, significantly reducing the risk of account takeover.