More than 10 weeks after the Alameda County Library was hacked, officials say they’re still not sure how many people’s information may have been compromised.

While the library system is certain the names and addresses of at least 35 people have been exposed to hackers, the total number of library cardholders affected could be as high as about 400,000.

It’s also unclear whether additional personal information, such as driver’s license numbers, email addresses, phone numbers and birth dates of library cardholders, also was hacked.

County Librarian Cindy Chadwick said in an interview that she received an email Sept. 11 from perpetrators who listed the names and addresses of 35 hacked library patrons. The email claimed the hackers had such information for the library’s entire database of users and might sell it.

Alameda County Sheriff’s Office spokesman Sgt. Ray Kelly said the hackers demanded five Bitcoin and threatened to otherwise sell the information on the dark web — a series of websites and spaces accessible through special software, where users’ information and location often remain anonymous.

Bitcoin, a decentralized digital currency, was listed as worth nearly $10,000 each earlier this week.

Like our Facebook page for more conversation and news coverage from the East Bay and beyond.

Chadwick said she’s overseeing the investigation into the hacking incident, working with the sheriff’s office and the library’s information technology administrators as well as library software providers.

Data the hackers provided to the library in the email did not contain other optional personal information the library collects when people sign up for library cards, such as birth dates, email addresses and driver’s license numbers.

Chadwick said it’s nevertheless possible the hackers also have that information from the 35 people they listed or the roughly 400,000 people with library cards to the county system’s 10 East Bay branches, including four in Fremont.

“That’s still part of the investigation,” she said. “I don’t think we have a clear answer on that yet.”

Multiple emails and phone messages seeking comment from the library’s information technology manager, Angel Vazquez, were not returned.

The library does not collect personal information such as Social Security numbers or credit card details, Chadwick said.

Although Chadwick received the hackers’ email on Sept. 11, the library did not tell cardholders about it until late October. The issue wasn’t discussed at the library’s advisory committee meeting on Oct. 4 either.

Library spokeswoman Alicia Reyes said there were “several steps we had to take before we could communicate this incident to our patrons,” including discussing it with the library’s legal counsel and getting an email marketing firm to send a mass email notification about the incident.

When library patrons sign up for a card, they only agree to get notifications about their own library materials, such as checkout and return dates or past-due bills, Reyes said. But special permission had to be obtained before the library sent out a large email blast.

Reyes said an email announcement about the hacking was sent to 159,118 patrons who are considered active, meaning they have used the library within the last three years. The emails were sent in batches between Oct. 20 and 22.

The library mailed letters to the 35 people named in the Sept. 11 email to notify them about the breach.

Kelly said the library also received a second email the next day that appeared to have been sent from one library employee to another. The email contained a phony invoice requesting roughly $44,000 for office equipment and machinery.

Kelly said one of the employees believed their email account with the library had been illicitly accessed.

In response to the incident, Chadwick said the library is reviewing all its systems “so that we can make sure we have the best practices with regard to data security.”

She said the library administration is also considering changing the kind of data it collects, potentially removing driver’s license numbers as an option when people sign up for a card.

She noted that’s “kind of a legacy thing, and a lot of library systems, if they haven’t already, are taking out the driver’s license” and “in my opinion it’s not worth the risk” to collect and store that information.

“I can tell you that this hasn’t happened before at Alameda County Library to my knowledge,” Chadwick said. She has been the county librarian since January and was the deputy county librarian since 2011.

“What surprised me about it was that anyone would bother hacking into a library system. We don’t collect any financial information at all,” she said. “Equifax doesn’t surprise me, but the library system did.”

Chadwick said that before the incident occurred, she and other county department heads attended a presentation in which the county’s chief information officer, Tim Dupuis, warned that public email accounts and systems could be vulnerable to online security attacks and phishing scams.

She said the thrust of the presentation was to encourage good “user hygiene” among public employees. Chadwick added, however, there’s no evidence to suggest the hacking resulted from an employee’s careless behavior.