It wasn't just credit card numbers that were stolen.
Target reported that hackers obtained credit card info and "personal data" from 40 million accounts. It's unclear what personal data was stolen from the reports we've seen, but we do know that the info was stolen from magnetic strips on the back of credit cards. Magnetic strips can include your name, credit card number, expiration date, and discretionary data like PIN numbers and security codes.
How was it stolen?
It's not immediately clear, but given the speed with which Target was able to identify and disable whatever exploit the hackers were using, and given the choice of the word "hackers" to describe the data thieves, it's likely that malware was somehow uploaded to Target's in-store credit card processing system. Target is working with both the Secret Service and a third-party investigator who specializes in these things to figure out what happened and hopefully catch those responsible.
The breach happened between 11/27 and 12/15.
If you didn't buy anything at a Target store between these dates, then your credit card info is safe.
Online purchases were not affected.
This time out, the only shoppers who were affected by the data breach are those who actually made a purchase inside a Target store. Online transactions are handled separately from in-store transactions, and thus were not affected. Likewise, if you bought online and opted to pick up in-store, that purchase would not be affected either. To reiterate: You are only affected by this data breach if you bought something at a physical Target store between 11/27 and 12/15 and paid for it at a Target cash register.
Monitor your credit card transactions.
The hackers basically took everything they would need to clone your credit card or Target REDcard. Most credit card companies have excellent fraud detection programs that quickly contact you and shut down compromised cards, but don't take it for granted that they will catch it. The safest thing to do is to request a new card from your issuer - just because your card hasn't been cloned and used yet doesn't mean it won't be in the future by whoever has your info.
Target has posted an FAQ on their corporate website, and the data security blog Krebs on Security is keeping close tabs on the investigation and is an excellent independent resource for those following the story.