More than 20,000 US organizations have been compromised through a back door installed via recently patched flaws in Microsoft Corp’s email software, a person familiar with the US government’s response said on Friday. The hacking has already reached more places than all of the tainted code downloaded from SolarWinds Corp, the company at the heart of another massive hacking spree uncovered in December. The latest hack has left channels for remote access spread among credit unions, town governments and small businesses, according to records from the US investigation. Tens of thousands of organizations in Asia and Europe are also affected, the records show. The hacks are continuing despite emergency patches issued by Microsoft on Tuesday. Microsoft, which had initially said the hacks consisted of “limited and targeted attacks,” declined to comment on the scale of the problem on Friday but said it was working with government agencies and security companies to provide help to customers. It added, “impacted customers should contact our support teams for additional help and resources.” One scan of connected devices showed only 10% of those vulnerable had installed the patches by Friday, though the number was rising. Because installing the patch does not get rid of the back doors, US officials are racing to figure out how to notify all the victims and guide them in their hunt. All of those affected appear to run Web versions of email client Outlook and host them on their own machines, instead of relying on cloud providers. That may have spared many of the biggest companies and federal government agencies, the records suggest. The federal Cybersecurity and Infrastructure Security Agency did not respond to a request for comment.