It started as a massive breach of data that affected roughly the entire active federal workforce. But the hack of the Office of Personnel Management's massive government employee database has ballooned into a behemoth — possibly affecting everyone who has applied for a security clearance in the past 15 years.
That put an untold number of service members squarely in the crosshairs.
OPM and the Defense Department now confirm that troops, civilians and contractors subjected to background checks since 2000 were exposed in the breach, which the Obama Administration has pinned on China.
In all, the number of people whose records were exposed grew from 4.2 million to 21.5 million — nearly 7 percent of the entire U.S. population.
Here's what you need to know.
1. Me? Yes you — probably, anyway, if you joined the military after 2000 and had a background check run on you as part of your initial security clearance process. If you signed up before that, OPM says the likelihood that you are affected is lessened, but is not out of the question.
Here's what OPM knows about what was lost: Hackers accessed systems containing info on about 21.5 million people, and officials know what organizations were affected. OPM knows that data was taken out of the system, but still needs to match the stolen data with specific individuals, said agency spokesman Samuel Schumach.
OPM is preparing to award a contract that seeks to identify exactly whose data was stolen, Schumach said. Until then, it will be impossible to know the exact number of troops affected.
"I wouldn't be able to give any projections, because they could vary greatly, as the data has not yet been analyzed and extracted," he said. "That is what the contractor will be doing once awarded."
A message to all Navy Department personnel summed it up this way: "It is prudent to assume we are all affected by the compromise of this information."
2. So what does Beijing know about me? Lots — assuming the culprit was, in fact, China, which China has repeatedly denied. In a phone call with reporters July 9, former OPM director Katherine Archuleta, who has since resigned in the wake of the hack, rattled off a staggering amount of personal data exposed in the breach.
Included were Social Security numbers, residency and education information, employment history, health information, criminal and financial histories, and more, Archuleta said.
Also stolen were notes and data obtained by investigators in interviews, as well as personal information on immediate family members, she added.
The breach affected both security clearance applicants as well as nearly 2 million spouses and cohabitants.
3. Protections for victims. OPM has said it will provide credit monitoring and fraud insurance to anyone, including cohabitants and spouses, affected by the breach for three years, but that timeframe has been a little slippery; it could end up being extended.
According to a new website set up by OPM, there are a few other things victims of the hack can do, starting with updating all passwords. Officials say it's a good idea to avoid using birthdays, names or addresses that could be easily gleaned from your security clearance applications, as it's safe to assume that information is no longer secure.
You should also be on the lookout for phishing scams. It's generally a bad idea to click on URLs sent to you in an email from a dubious source, or a source that may be trying to pass itself off as legitimate, such as a bank. It's also a bad idea to give out any information solicited via email, as legitimate businesses don't behave that way.
4. Waiting game. OPM's message generally has boiled down to: "Don't come to us, we'll come to you." Schumach said the new contractor will be in charge of extracting the data accessed by the hackers and will begin sending out letters to affected individuals by groups.
Those groups will be determined by the types of data stolen, not necessarily by organizational affiliation. For example, if your fingerprints were stolen, you would be notified along with the million other people who had their fingerprints stolen, regardless of who they work for.
The letters sent out by the contractor will have all the details on how to sign up for the credit protection.
5. Retaliation. The Obama administration has not laid out a clear response to the hack, but officials have said economic sanctions against China are on the table. The problem there is that in order to levy sanctions, the White House would have to prove beyond a shadow of a doubt that the hack was sponsored by the Chinese state, and that's a tall order.
The administration has shown a willingness to wage cyber war in the past. In 2009, it unleashed the world's first cyber weapon on Iran's nuclear enterprise. The so-called Stuxnet virus wreaked havoc on Iran's nuclear developments and ushered in a new era of cyber warfare.
The administration also was implicated as a source of widespread Internet outages in North Korea following a cyber-attack on Sony that was blamed on the rogue Asian nation.
A similar response to the latest — and largest — hack in history would not be out of the question.
David B. Larter was the naval warfare reporter for Defense News.