America’s JobLink (AJL), a multi-state online service that connects job seekers with employers, informed users last week that a malicious hacker breached the company’s systems.

The attacker exploited a vulnerability in the JobLink application to gain access to job seekers’ personal information, including names, dates of birth and social security numbers (SSNs). According to AJL, the attacker created an account on the platform and exploited a “misconfiguration” to access information on other users.

Law enforcement has been notified and a forensics firm has been called in to determine the cause and impact of the incident. AJL said the attacker created an account on the application on February 20, and the first signs of suspicious activity were noticed on March 12. The vulnerability, apparently introduced in October 2016, was patched on March 14.

AJL pointed out that the attack did not involve any type of malware, and it did not affect the company’s ReportLink or CertLink products.

The investigation showed that the attacker accessed information on users in Alabama, Arkansas, Arizona, Delaware, Idaho, Illinois, Kansas, Maine, Oklahoma and Vermont. These states use the JobLink service to coordinate federal unemployment and workforce development programs.

Individuals who created accounts before March 14 could be affected, and AJL has promised to send out email notifications to individuals whose accounts have been breached within 5-10 business days. Affected users may also be eligible for credit monitoring services.

An investigation has also been launched by the Department of Labor in the affected states, and each state has published information about the breach on its official website. More than 250,000 users could be affected in Delaware, 170,000 accounts may have been compromised in Idaho, while Vermont said the breach could impact up to 180,000 accounts.

StateScoop reported that more than 280,000 accounts are affected in Maine, and the breach could impact as many as 4.8 million accounts across the ten states.

At least one law firm is urging affected job seekers to step forward, which indicates that AJL is facing a lawsuit.

Related: 3.7 Million Exposed in Banner Health Breach

Related: Los Angeles County Notifies 756,000 of Data Breach

Related: 400,000 Records Exposed in Michigan State University Breach