Equifax divulged on Wednesday that the culprit behind this summer’s breach of 143 million Americans was an Apache Struts vulnerability, CVE-2017-5638, patched back in March.

The Vice President of the Apache Struts PMC says the attackers likely used an unknown Struts zero day or an earlier announced vulnerability.

Victims of the massive Equifax breach may have to wait days to find out if they were impacted.

Equifax, one of the three largest credit agencies in the United States, disclosed Thursday afternoon it’s looking into a data breach that may have affected upwards to 143 million Americans.