More than 1,000 U.S. businesses have been affected by the cyberattack that hit the in-store cash register systems at Target, Supervalu and, most recently, UPS Stores, the Department of Homeland Security said in an advisory released Friday.

The attacks were much more pervasive than previously reported, the advisory said, and hackers were pilfering the data of millions of payment cards from U.S. consumers without companies knowing about it. The breadth of the breaches, once considered limited to a handful of businesses, underscored the vulnerability of payment systems widely used by retail stores across the country.

On July 31, Homeland Security, along with the Secret Service, the National Cybersecurity and Communications Integration Center and their partners in the security industry, warned companies to check their in-store cash register systems for a malware package that security experts called Backoff after a word that appeared in its code. Until that point, Backoff malware and variations of it were undetectable by antivirus products.

Since then, seven companies that sell and manage in-store cash register systems have confirmed to government officials that they each had multiple clients affected, the government said Friday. Some of those clients, like UPS and Supervalu, have stepped forward, but most have not.

In all, the Secret Service estimated that more than 1,000 U.S. businesses had been affected.

According to the Secret Service, criminals are actively scanning corporate systems for remote access opportunities — a vendor with remote access to a company’s systems, for example, or employees with the ability to work remotely — and then deploying computers to guess user names and passwords at high speeds until they find a working combination.

The hackers use those footholds to crawl through corporate networks until they gain access to the in-store cash register systems. From there, criminals collect payment card data off the cash register systems and send it back to their servers abroad.

Last year, in the largest known breach against a retailer’s payment system, hackers invaded Target for weeks without being detected. The hackers’ malware stole customers’ data directly off the magnetic stripes of credit and debit cards used by tens of millions of shoppers.

The Target breach exposed problems with the magnetic stripes on credit cards. Since then, banks and companies have taken a renewed interest in a chip-based smart card standard known as EMV, short for Europay-MasterCard-Visa, the technology’s first backers. Credit card companies have set an October 2015 deadline for U.S. retailers to upgrade their payment systems.