What we thought was getting worse just keeps getting worser: This morning we heard that the data breach at Target had hit 70 million customers, instead of the 40 million originally reported by the company. And now that number is not only possibly up to 110 million, but it could include people who didn’t even shop during the holidays, which is when Target said the leak happened.

In the early days Target confirmed last month that “unauthorized access to Target payment card data” at its retail locations lasted from Nov. 27 to Dec. 15 and hit around 40 million shoppers.

But now the New York Times is reporting that the company’s investigation is showing that there was another store of data that was collected over time on 70 million people. That has apparently been hacked as well.

There could be some overlap between those customers and the ones who were hit during the holiday season. It’s worth pointing out though that if you’ve shopped at Target outside that holiday period, you could also be at risk.

“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, the Target chief executive, said in a statement.

And this might not be the worst yet, either. A Target spokeswoman says that the number of exposed customers could still grow.

Another reminder: Be extra wary of any emails purporting to be from Target asking for information like your Social Security number. That’s an easy way for your identity to get stolen, when combined with the other information potentially involved in the data breach.

Target Breach Affected Up to 110 Million Customers [New York Times]