You may have been the target of cybercrime if you shopped at brick-and-mortar Target stores during the Christmas shopping season. But you might also be in danger if you shopped in six other yet-unnamed retailers, according to a recent report.

The hacking of Target's credit and debit card system during the height of the Christmas shopping season was one of the most unprecedented data breaches in the modern age, affecting millions of people, causing credit card companies and banks to reissue millions of cards, and ultimately forcing Target to offer free credit-protection services for its customers affected by the hack attack.

This is terrible news for Target, which is scrambling to recover after admitting that 40 million credit and debit card accounts' information had been stolen, with that number later rising to over 70 million. But now a report from cybersecurity firm InterCrawler to Reuters shows that the pain is not over for retailers and consumers: The security firm says it has uncovered at least six ongoing attacks at U.S. retailers using the same malware that infected the Target credit card system.

The six other retailers currently suffering under an ongoing attack were not made public, although InterCrawler's chief executive Andrew Komarov said he has alerted law enforcement, Visa Inc., and several large banks about his findings. The retailers are suspected to all be victims of a malicious software program called BlackPOS, which was confirmed as used against Target. Komarov said retailers in California and New York were among those who fell victim to BlackPOS. The security expert also said that payment card data was stolen in the other attacks, but he didn't know how much.

One retailer, upscale merchant Neiman Marcus, is suspected to be one of the six, as it disclosed last week that it, too, was a victim of a cyberattack. But Neiman Marcus's inclusion in Komarov's six yet-undisclosed retailers to have had a data breach is still speculative and unconfirmed, and law enforcement has declined to discuss ongoing investigations. However, Reuters cited anonymous sources in reporting that at least three well-known "national retailers" have been attacked.

Meanwhile, data stolen from Target and other big retailers is reportedly making its way to "underground data auctions," going for around $100 per, which includes debit card numbers, credit card numbers, pin numbers, and 3-digit security codes.

The source of all this mess may either be surprising or may seem cliché, if you watch a lot of cybercrime movies: investigations into the BlackPOS malware led to St. Petersburg, Russia, and a hacker who is now 17 years old with the alias "Ree4."  Ree4 pieced together code from a standard malware (referred to as "potato" in Russia) and other code from underground cybercrime sites to create a BlackPOS, a "RAM scraper," which captures data when it travels through the computer's RAM systems, where it's unencrypted and in plain text. 

Ree4 has been monitored by Komarov since March and is suspected to have sold the BlackPOS system to Eastern European cybercriminals for either $2,000 or a 50 percent cut of the profits.

Unless consumers find out which other retailers were hacked and protect themselves, those profits might be huge.