Honestly, I assumed that this wouldn’t have gotten any worse than the Friday-afternoon and weekend dumps from the past few days. Clearly, that’s not the case. CNN’s Jake Tapper covered new information about the OPM sieve that suggests the total number of victims in this hack could surpass 18 million Americans– including some who never did get jobs with the federal government. The systems containing the critical information included in the hack also had data from the background checks of failed applicants:

The personal data of an estimated 18 million current, former and prospective federal employees were affected by a cyber breach at the Office of Personnel Management – more than four times the 4.2 million the agency has publicly acknowledged. The number is expected to grow, according to U.S. officials briefed on the investigation.

FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM’s own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.

The same hackers who accessed OPM’s data are believed to have last year breached an OPM contractor, KeyPoint Government Solutions, U.S. officials said. When the OPM breach was discovered in April, investigators found that KeyPoint security credentials were used to breach the OPM system.

Some investigators believe that after that intrusion last year, OPM officials should have blocked all access from KeyPoint, and that doing so could have prevented more serious damage. But a person briefed on the investigation says OPM officials don’t believe such a move would have made a difference. That’s because the OPM breach is believed to have pre-dated the KeyPoint breach. Hackers are also believed to have built their own backdoor access to the OPM system, armed with high-level system administrator access to the system. One official called it the “keys to the kingdom.” KeyPoint did not respond to CNN’s request for comment.

Evan Perez tells Tapper that “we may never know” the full extent of the hack. So far, we’re not even getting the full story of the scope of the hack. The story keeps changing about what the hackers accessed, for how long they had access, and what kind of information got exposed.

This part of the story now includes a government contractor, who may be doing work for other parts of the government. KeyPoint’s website seems to indicate that the company also does clearances for Homeland Security as well as OPM, as well as investigations of financial fraud and strategizing security solutions in the private sector. How much of that have the hackers managed to access? Will Homeland Security’s clearance data be the subject of the next mass mailing from the federal government, warning about the potential for identity theft and extortion?

Maybe we should just assume they got it all, eh?