(Reuters) - The number of victims of the MOVEit hack grew by several million on Thursday after the biggest U.S. pension fund, the California Public Employees Retirement System, and insurer Genworth Financial Inc. said personal information of their members and customers had been compromised.

Both said a third-party vendor, PBI Research Services, was affected in a data theft hack, providing a path for the hackers to then steal data from Calpers and Genworth. PBI could not be reached for comment.

Calpers said on June 6, PBI told them of a “vulnerability” in their MOVEit Transfer software that allowed hackers to download “our data” without specifying how many people were impacted. News reports said information from more than 700,000 Calpers members and retirees was taken.

The MOVEit software is widely-used by organizations around the world to share sensitive data.

Genworth Financial was harder hit, saying personal information of nearly 2.5 million to 2.7 million of its customers was breached.

"The personal information of a significant number of insurance policyholders or other customers of its life insurance businesses was unlawfully accessed," Genworth said.

From U.S. government departments to the UK's telecom regulator and energy giant Shell, a range of victims have emerged since Burlington, Massachusetts-based Progress Software found the security flaw in its MOVEit Transfer product last month.

The insurer said it is working to ensure "protection services" are provided to the impacted individuals, according to a regulatory filing.

Data taken from Calpers included members' first and last name, date of birth and social security number. It serves more than two million members in its retirement system.

The MOVEit hack has hit several state and federal agencies. Last week, the U.S. Department of Energy got ransom requests from the Russia-linked extortion group Clop at both its nuclear waste facility and scientific education facility that were recently hit in a global hacking campaign.

Data was compromised at the two DOE entities after hackers breached their systems through a security flaw in MOVEit Transfer.

The wide-ranging impact of the hack shows how even the most security-minded federal agencies are struggling to defend against ransomware attacks. Ransomware gangs typically scour for such widely-used tools.