The Target Corp. security breach that compromised the data of millions of Christmas shoppers could be traced to the cybertheft of information from a heating, air conditioning and refrigeration company in Sharpsburg, Pa.

Fazio Mechanical Services Inc. confirmed in an online statement Thursday that it is involved in an ongoing federal investigation surrounding the Target breach, saying that it was a victim of a “sophisticated cyberattack” and that it was cooperating with retailer and the U.S. Secret Service.

“Fazio Mechanical Services Inc. places paramount importance on assuring the security of confidential customer data and information,” according to the statement from Ross Fazio, owner of the company.

The company’s connection to the cyberattack was revealed when Brian Krebs, of technology security blog Krebs on Security, reported that hackers used network credentials stolen from Fazio Mechanical Services to break into Target’s network.

It’s the latest twist in a story that began during the holiday season when Target confirmed reports that about 40 million accounts may have been affected. In January, the retailer said other information involving up to 70 million individuals also was taken.

A Target spokeswoman declined to comment on Thursday about the Fazio connection, citing the ongoing investigation. U.S. Secret Service spokesman Brian Leary confirmed an investigation is underway but declined to elaborate.