Is it common and responsible to name the source of the credential leak like that? I can imagine that maybe other retailers would want to know that information, but I can also imagine the investigation is continuing and thus the opportunity exists for the story to become more complex.
Other retailers should be less concerned about if they have done business with this vendor than they should be able letting any vendor have insecure access to their network.
