When news came out that the Office of Personnel Management—the agency within the federal government that serves as the HR department over government employees—had been hacked and 4.2 million citizens had their highly sensitive data stolen, that was cause for alarm. But now that the OPM has been hacked again, the damage is quite different.

As part of a 127-page form, a highly in-depth document called the Standard Form 86 requires detailed information on every aspect of the applicants’ lives. Covering everything from education and previous employment to medical conditions, addictions, and mental health issues, this form basically lays everything about the applicants out for others to see.

Unfortunately, the form also asks for contact information for relatives and friends, former teachers, former military service supervisors, former employers, and many other people who can vouch for the applicant. The form then requests the phone numbers, addresses, email addresses, and other identifying items for those individuals that were listed on the document.

That means that any applicant who has applied for a security clearance via this form has now handed the hackers detailed identifying information of many people. If even half of the four million accounts that were hacked filled out this form and applied for a security clearance, and if those people listed only ten contacts each over the scope of the lengthy form, then the contact information for as many as twenty million people could have been breached. The numbers are not known at this time as to how many extra contacts were affected.

It’s tempting to think to yourself, “So what? It’s just some phone numbers and email addresses.” But there are some problems associated with even that amount of information falling into the wrong hands. The first threat is that the personal data can be used as pieces of a bigger puzzle in terms of identity theft. Next, the real danger of being targeted with phishing emails or having their information sold to crooks is always a problem. Finally, there’s the fear that the contact information will be used for extortion; after all, these are people the applicants knew well enough to list on their documents. It’s easy to see how a criminal could reach out to those individuals and demand money in exchange for keeping real or fictitious harm from coming to the applicants.

While the OPM isn’t able to comment on the breaches as an investigation is still underway, there are some things you should remember at this time. You may or may not even know if your name was listed on someone’s 86 Form; after all, it wants the names of former landlords, former teachers and classmates, and more. Therefore, now is the time to brush up on phishing awareness and avoid any strange emails, texts, or unknown phone calls. Never click a link in an email that you weren’t expecting, even if it appears to come from someone you know. If you receive a communication stating that someone you know is being threatened, be sure to confirm it before taking action or following instructions. Safeguard your avenues of communication, and be on the lookout for suspicious activity.