Former employees of Yahoo have corroborated this week’s stories about the company scanning all emails coming into their servers on behalf of the NSA, saying that the “email scanner” software was not Yahoo-built, but actually made and installed by the US government.

The employees, including at least one on Yahoo’s own internal security team, reported finding the software on the email server and believing they were begin hacked, before executives informed them the government had done it. They described the software as a broader “rootkit” that could give the NSA access to much more than just emails.

To make matters worse, the employees say the government’s software was “buggy” and poorly-designed, meaning it could’ve given other hackers who discovered it the same access to the Yahoo server, adding to the danger it posed to customers’ privacy.

Yahoo itself has been mostly mum on the matter, issuing a statement claiming the initial reports were “misleading” but not elaborating at all. The NSA denied the claim outright, though they have been repeatedly caught lying about similar programs in the past.