More than three times as many Americans may have been affected by an IRS hack in March than previously thought.

Criminals potentially accessed the personal information of up to 338,000 taxpayers, the Internal Revenue Service said in a statement Monday. The agency originally reported only 114,000 victims.

The IRS says the perpetrators acquired access to the information through its online Get Transcript system, which stores information about individual taxpayers, including their Social Security numbers, street addresses, and dates of birth.

The system, which allows U.S. citizens to download tax returns and view tax payments, was disabled shortly after the breach. The government provided the initial 114,000 taxpayers whose information was known to be compromised at the time with free credit monitoring.

The IRS said it will send out letters over the next few days informing the new batch of potentially affected taxpayers.

“As part of the IRS’s continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system,” the agency said.

Potential security flaws in the Get Transcript system had been previously highlighted by computer security journalist Brian Krebs in March. The system was vulnerable, he wrote, because of its reliance on “challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.”

“Anyone who succeeds in supplying the correct answers can see the applicant’s full tax transcript,” added Krebs, “including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.”

Photo by eFile989/Flickr (CC BY-SA 2.0)