Citrix confirmed in a March 8 blog post that the FBI had informed the company it believed “international cyber criminals” had accessed the internal corporate network. “While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords,” Citrix said.

Password spraying involves using a short list of passports on a broad range of systems until one works, reports Dark Reading. More and more hackers are using this technique, rather than a “brute force” attack on a single system, to avoid being timed out and possibly alerting their target, experts say. Password spraying can slip under the radar because the attempts are spread out across systems over time.

The problem is employees reusing common passwords. A simple list of the top 1,000 passwords works three-fourths of the time, according to the U.K. National Cyber Security Centre.

Citrix said hackers seemed to have accessed certain business documents, though which ones weren’t known. “At this time, there is no indication that the security of any Citrix product or service was compromised,” according to the company. But the potential risks are vast, considering that Citrix handles virtual private networks for more than 400,000 companies, reports LowCards.com. Citrix also reportedly provides services to 98% of the Fortune 500.

In a further wrinkle, NBC reported that Iranian hackers may have been behind the attack. NBC’s information was attributed to Charles Yoo, president of a cybersecurity firm called Resecurity. ITWire has uncovered reasons to doubt the man’s identity, reporting that a woman at the phone number for the company said no one by that name was there. Instead, Resecurity’s head is apparently Andrew Komarov, who came under fire in 2014 after misidentifying the hacker behind a data breach at Target.