There are about 2.6 million executive branch civilians, so the majority of the records exposed relate to former employees. Contractor information also has been stolen, officials said. The data in the hack revealed last week include the records of most federal civilian employees, though not members of Congress and their staffs, members of the military or staff of the intelligence agencies.
On Thursday, a major union said it believes the hackers stole Social Security numbers, military records and veterans' status information, addresses, birth dates, job and pay histories; health insurance, life insurance and pension information; and age, gender and race data.
The personnel records would provide a foreign government an extraordinary roadmap to blackmail, impersonate or otherwise exploit federal employees in an effort to gain access to U.S. secrets --or entry into government computer networks.
Read MoreGovernment hack raises red flags for investors
Outside experts were pointing to the breaches as a blistering indictment of the U.S. government's ability to secure its own data two years after a National Security Agency contractor, Edward Snowden, was able to steal tens of thousands of the agency's most sensitive documents.
After the Snowden revelations about government surveillance, it became more difficult for the federal government to hire talented younger people into sensitive jobs, particularly at intelligence agencies, said Evan Lesser, managing director of ClearanceJobs.com, a website that matches security-clearance holders to available slots.
"Now, if you get a job with the government, your own personal information may not be secure," he said. "This is going to multiply the government's hiring problems many times."
The Social Security numbers were not encrypted, the American Federation of Government Employees said, calling that "an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce."
"Unencrypted information of this kind this is disgraceful -- it really is disgraceful," Brenner said. "We've had wakeup calls now for 20 years or more, and we keep hitting the snooze button."
Read MoreUnion claims hackers hit all federal employees
Samuel Schumach, an OPM spokesman, would not address how the data was protected or specifics of the information that might have been compromised, but said, "Today's adversaries are sophisticated enough that encryption alone does not guarantee protection." OPM is nonetheless increasing its use of encryption, he said.
The Obama administration had acknowledged that up to 4.2 million current and former employees whose information resides in the Office of Personnel Management server are affected by the December cyberbreach, but it had been vague about exactly what was taken.
J. David Cox, president of the American Federation of Government Employees, said in a letter Thursday to OPM director Katherine Archuleta that based on incomplete information OPM provided to the union, "the hackers are now in possession of all personnel data for every federal employee, every federal retiree and up to 1 million former federal employees."
Another federal employee group, the National Active and Retired Federal Employees Association, said Friday that "at this point, we believe AFGE's assessment of the breach is overstated." It called on the OPM to provide more information.
Rep. Mike Rogers, the former chairman of the House Intelligence Committee, said last week that he believes China will use the recently stolen information for "the mother of all spear-phishing attacks."
Spear-phishing is a technique under which hackers send emails designed to appear legitimate so that users open them and load spyware onto their networks.