Cybersecurity experts are still trying to determine the scale of damage wrought by a recent cyberattack using SolarWinds software on the U.S. government and Fortune 500 companies.

The attack aimed at the U.S. Treasury and Commerce departments as well as international companies continued for months until it was discovered by FireEye, a cybersecurity company that also fell victim to the hacking campaign. The hackers inserted malware into software updates that SolarWinds, an IT company, sent to government and private sector clients that use its Orion software to manage their networks.

So far this is what’s known of the cyberattack: About 18,000 private and government users downloaded a Russian-tainted software update — a Trojan horse of sorts — that gave its hackers a foothold into victims’ systems, according to SolarWinds, the company whose software was compromised.

While SolarWinds is not a household name, it works with many businesses and organizations that are. Among those who use SolarWinds software are the Treasury and Commerce departments as well as the Centers for Disease Control and Prevention, Department of Homeland Security, and large companies such as Cisco and Intel.

Could Your Personal Information Be At Risk?

The short answer is yes. That’s because the federal agencies and companies targeted in the attack and the private companies that work with SolarWinds potentially have a storehouse of personal information about Americans. According to several news reports, the attack may have left the updating system for many key security systems open to exploitation.

How Can You Protect Your Information?

Americans, just like the agencies targeted in the attack, should take a consistent approach to protect themselves. Use complex and different passwords for your digital accounts. Protect your identity by signing up for a identity theft protection plan. And use two-factor authentication for critical accounts like email and bank accounts. Don’t click on links from any source that you haven’t authenticated as legitimate. If your identity has been exposed, be on the lookout for notifications from government agencies or corporations that your information has been compromised.