ABC News reports that at least 25 million people were affected by the recent Office of Personnel Management hack—more than six times the number originally reported by authorities.

The government’s apparent explanation for the wildly disparate reports is that they counted the breach as two hacks, the larger of which they considered to be a “separate but related” issue that was still “under investigation” at the time. Via ABC:

At the time, OPM only disclosed that the personnel records of 4.2 million current and former federal employees had been compromised.

But there was little doubt — at least privately –- that the universe of victims was vastly bigger because the hackers had access to far more than personnel records, including files associated with background investigations and information on government workers’ families.

In fact, the hackers allegedly rummaged through various OPM databases for more than a year — and lawmakers and U.S. officials alike have described the breach as a significant threat to national security.

It’s still unclear how many Americans were actually affected (most reports cite anonymous sources) but Politico says it’s actually more like 21.5 million because some identities were essentially hacked twice. Either way, it’s clear the government drastically underreported the extent of the damage.

And it wasn’t just basic information—the hackers got away with highly sensitive documents that include “military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race data,” plus reportedly unencrypted social security numbers.

The breach reportedly began in 2013 when hackers obtained credentials through an employee of a government contractor, KeyPoint Government Solutions. It wasn’t detected until April, ABC reports.

Contact the author at gabrielle@gawker.com.