According to cyber expert counts confirmed by Reuters, a hydra-headed attack centered on a single American software company affected data at approximately 600 firms globally.

But more than two months after Massachusetts-based Progress Software first revealed the vulnerability, the number of victims has hardly abated. The totals indicate that the Progress MOVEit Transfer file management tool breach has so far had an impact on close to 40 million people. The engaged digital extortionists, known as “cl0p,” have now stepped up their efforts to release their material into the public realm.

The incident response company Surefire Cyber’s chief technical officer, Marc Bleicher, stated that “we are just in the very, very early stages of this.” “I believe the true impact and repercussions won’t be evident for some time,”

Large volumes of frequently sensitive data, such as pension information, social security numbers, medical records, billing information, and similar data, are shipped by enterprises using MOVEit. The attack has spread outside in sometimes complicated ways because many of those firms handled data on behalf of others, who in turn obtained the data from other parties.

For instance, when cl0p compromised the MOVEit software used by a business called Pension Benefit Information, which specializes in finding surviving family members of pension fund holders, they were able to access the data of the Teachers Insurance and Annuity Association of America, a company based in New York that administers pension plans for 15,000 institutional clients, many of whom have spent the past few weeks alerting staff members of their exposure.

John Hammond from Huntress Security, one of the first researchers to start following the hack, said, “There’s this domino effect.”

Hacks by groups like cl0p happen all too frequently. However, the sheer range of MOVEit’s victims—from California retirees to Louisiana drivers to New York public school students—has made it one of the most well-known instances of how a single bug in a specialized piece of software may result in a major privacy crisis.

The breach, according to Christopher Budd of the British company Sophos, was a reminder of how reliant businesses were on each other’s digital fortifications.

Progress claimed that it had fallen prey to “an advanced and persistent cybercriminal group” and that its main priority is now providing help for its clients.

According to two people acquainted with Progress’ investigation, Cl0p’s hacking campaign started on May 27.

The following day, a customer who noticed unusual activity informed Progress about the hack, according to these sources. The corporation sent a warning on May 30 and a “patch” (or fix) the following day, which partially stopped the hackers’ effort.

According to senior official of the U.S. Cybersecurity and Infrastructure Security Agency Eric Goldstein, “many organizations were actually able to deploy the patch before it could be exploited.”

Not all businesses were as fortunate. However, Nathan Little, whose company Tetra Defense has handled to dozens of MOVEit-related incidents, said the hack potentially affected thousands of enterprises. Details regarding the amount of stolen content or the number of organizations affected are not publicly available.

We might never learn the precise number, he said.

Some analysts have made an effort to monitor. Emsisoft, a cybersecurity company, reported 597 victims overall as of Sunday, affecting 39.7 million individuals.

Similar data were provided by German IT expert Bert Kondruss, which Reuters verified by cross-referencing them with reports from corporations, government agencies, and cl0p’s blogs.

One-fourth of the victims were affiliated with educational institutions, including colleges, universities, and even New York City public schools; Emsisoft and Kondruss counted over 100 victims in the United States alone.

The exposure is not limited to the academic world.

Own a car? The compromised data totaled about 9 million records, according to the motor vehicle departments of Louisiana and Oregon. Retired? Pension Benefit Information was misused to compromise pension management companies like T. Rowe Price and the California Public Employees’ Retirement System. Between 8 and 11 million people’s records were compromised as a result of the breach at US government contractor Maximus alone.

Unstable silver lining? Perhaps the hackers consumed too much information to reveal it all.

Alexander Urbelis, senior counsel at the New York-based law firm Crowell & Moring, which has assisted victims in determining their exposure to the dragnet of the hackers, claimed that the incredibly slow download speeds from the hackers’ rickety darknet website “made it all but impossible for anyone” – whether well-intentioned or not – “to access the stolen data.”

The American official, Goldstein, claimed that data had not yet been disclosed “in many cases”.

Cl0p, which ignored Reuters’ messages, appears to be making an effort to improve. It developed websites late last month with the express purpose of disseminating stolen material. Peer-to-peer networks were used to share the material earlier this week.

Alexander Urbelis, senior counsel at the New York-based law firm Crowell & Moring, which has assisted victims in determining their exposure to the dragnet of the hackers, claimed that the incredibly slow download speeds from the hackers’ rickety darknet website “made it all but impossible for anyone” – whether well-intentioned or not – “to access the stolen data.”

The American official, Goldstein, claimed that data had not yet been disclosed “in many cases”.

Cl0p, which ignored Reuters’ messages, appears to be making an effort to improve. It developed websites late last month with the express purpose of disseminating stolen material. Peer-to-peer networks were used to share the material earlier this week.