Foreign hackers who pulled off a stealthy breach of at least a dozen federal agencies got caught after successfully logging in to a top cybersecurity firm’s network, tipping the company off to a broader hacking campaign targeting the U.S. government, according to officials from the firm and congressional aides briefed on the issue.

The suspicious log-in prompted the firm, FireEye, to begin investigating what it ultimately determined to be a highly damaging vulnerability in software used across the government and by many Fortune 500 companies.

It’s not clear how long it took FireEye to notice that it had been hacked, in a scheme that U.S. officials have linked to Russian intelligence. But the vulnerability, found in IT management software developed by a company called SolarWinds, had given the hackers months of access to internal email accounts in at least a dozen U.S. federal agencies, including the Treasury, Homeland Security and Commerce departments.

Two congressional staffers briefed on the intrusion said FireEye representatives, who met with multiple lawmakers and their staffers this week to discuss the hack, disclosed a potentially embarrassing detail: that the hackers had exploited a security feature called two-factor authentication to gain access to FireEye’s network by duping an employee into revealing his or her credentials.