The list of fraudulent certificates obtained by hackers who breached a Dutch certificate authority has grown to more than 500 and includes certificates for domains owned by three intelligence agencies: the CIA, Israel’s Mossad and the UK’s MI6.

DigiNotar, which is owned by Illinois-based Vasco Data Security, also lacked basic security safeguards, such as strong passwords, anti-virus protection, up-to-date software patches, according to a third-party audit conducted by security firm Fox-IT in the Netherlands, released Monday.

DigiNotar acknowledged last week that it became aware it had been breached on July 19, though it has never disclosed how long the hackers were inside its network before they were discovered.

DigiNotar is one of numerous firms around the world that generate security certificates for internet entities. The certificates authenticate web pages using the Secure Socket Layer protocol so that users can trust that their encrypted communication is going to the correct location. Anyone who manages to steal a certificate – such as criminals or government agents – can impersonate a legitimate site to steal log-in credentials and read a user’s communications.

Since news of the DigiNotar breach broke last week, the list of fraudulent certificates the hackers obtained has grown to at least 531, all of which have been disclosed by parties other than DigiNotar. The company has been heavily criticized for failing to honestly communicate the depth of its breach or disclose the fraudulent certificates to browser makers so they could block them.

In addition to the intelligence agencies, the list of victims to date has included internet giants like Mozilla, Yahoo, Skype, Facebook, Twitter as well as the Tor privacy and anonymizing service and even Microsoft’s Windows Update service, according to Computer World. Certificates issued for Dutch government domains are also believed to have been compromised in the hack.

The Minister of the Interior for the Netherlands said on Saturday that the government could no longer guarantee the security of its websites and urged the public not to log into into them until new certificates could be obtained from other issuing authorities.

DigiNotar acknowledged the breach only after reports began circulating from people in Iran who claimed they were getting browser error messages when they tried to load the Gmail website. Google subsequently confirmed that a fraudulent Google certificate issued to a non-Google entity was operating in the wild, allowing someone to conduct a man-in-the-middle attack to intercept Gmail browsing.

DigiNotar admitted that the hackers who breached its network had obtained certificates for an undisclosed number of domains, but wouldn’t identify the victims. The company has said only that a third-party audit had uncovered a list of certificates the hackers obtained, all of which were subsequently revoked. DigiNotar acknowledged, however, that the auditor had somehow missed the certificate that the hackers had obtained for Google. That certificate was finally revoked last week after Google disclosed its existence in the wild.

Browser makers Google, Mozilla and Microsoft announced this weekend that they would be permanently blocking all digital certificates issued by DigiNotar, suggesting a complete loss of trust in the integrity of its service.

“Based on the findings and decision of the Dutch government, as well as conversations with other browser makers, we have decided to reject all of the Certificate Authorities operated by DigiNotar,” Heather Adkins, a Google information security manager, wrote in a post to the some 300,000 unique IP addresses in Iran may have accessed web sites that used the fraudulent certificate.

“The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” Fox-IT wrote.

But over the weekend, a hacker who previously claimed credit for breaching Comodo, another certificate authority, earlier in the year claimed responsibility for the DigiNotar breach as well. The hacker, who in the past has identified himself as a 21-year-old Iranian student, claimed he got root access to DigiNotar after obtaining an administrator’s username (Production/Administrator) and password (Pr0d@dm1n). He also claimed to have breached four other certificate authorities, including GlobalSign. Global Sign said in a tweet on Tuesday that it is investigating the claim.

The hacker claimed the attack was retaliation for the Dutch government’s indirect role in the death of 8,000 Serbian Muslims in 1995.

See also: