MINNEAPOLIS (WCCO/AP) — About 5 million credit and debit cards out of the approximately 40 million whose information was stolen in a massive Target data breach have been used to make fraudulent purchases, according to reports.

The Wall Street Journal says that translates to about 10 to 15 percent of the accounts that were compromised late last year.

READ MORE: Memphis Man Killed By Semi In St. Paul While Walking On Highway 52

A rough estimate by the Wall Street Journal found that about $300 in fraudulent purchases are being made on each card.

That would bring the overall total of up to $2 billion in losses, which Target would likely have to cover.

It now appears that the hackers who stole the credit and debit card numbers breached Target’s systems by using stolen electronic credentials from a vendor.

READ MORE: Henry Sibley High School In Mendota Heights Changes Name To 'Two Rivers High School'

Spokeswoman Molly Snyder declined to comment on further details, such as the vendor’s identity or how the hackers stole the credentials, citing the ongoing nature of the investigation.

Target says it is working with the Secret Service and the Justice Department in response to the data breach.

Last week, some card numbers of Target customers from South Texas turned up in the arrest of a pair of Mexican citizens at the U.S.-Mexico border. But experts believe the attack’s original perpetrators will be difficult to locate.

MORE NEWS: Where Are All The July 4th Fireworks Shows This Year?

(TM and © Copyright 2014 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2014 CBS Broadcasting Inc. Used under license. All Rights Reserved.This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.)