Cybersecurity investigators are scrambling to assess the damage caused by a widespread breach of U.S. federal agencies and private companies. A list of affected organizations includes the Treasury, Commerce, Homeland Security, and State Departments, plus the National Institutes of Health, and parts of the Pentagon, according to the latest news reports.

Yet the blast radius likely extends much farther. In addition to the government, top national labs, and hundreds of universities, many big businesses may have been targeted by the 9-month-long cyberespionage operation. SolarWinds, the little-known software company based in Austin, Texas, that’s at the center of the compromise, estimates that more than half the customers of its pervasive Orion network management products could have been affected: around 18,000 customers.

That’s according to a Securities and Exchange Commission filing SolarWinds put out on Monday, now buried under a flurry of share sales disclosures. (You can view its since-stricken customer list, captured by the Internet Archive, to get an idea of the possible breadth of the cyberattack.)

SolarWinds was patient zero. The company’s systems were hacked, and its IT tools were subverted to deliver Trojan horses all over the map. The situation, a so-called software supply chain attack, recalls the NotPetya malware attack of 2017, when Russian agents unleashed a global cyberattack by subverting the software update mechanism of a popular accounting tool developed by a Ukrainian tech company. (You can read preliminary analyses of the SolarWinds hack by digital forensics firm FireEye and Microsoft.)

Though it’s still early and investigations are ongoing, cybersecurity researchers suspect nation state hackers are to blame, due to the sophistication of the hacking campaign. In particular, they’re pointing fingers at the SVR, Russia’s foreign intelligence service and a successor to the KGB. As usual, the Russian Embassy in Washington, D.C., denied the allegations.

The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, tasked with coordinating defenses across government and industry, is attempting to get a grip on the situation, issuing alerts and advising people to update their software or unplug systems that use Orion tooling. But the agency is also reeling from recent turnover after President Trump removed its founding director, Chris Krebs, who refused to play along with Trump’s baseless election fraud claims. (To nip misinformation in the bud: Dominion Voting Systems, a central target of Trump’s conspiracy theorizing, says it has never used SolarWinds’ Orion products.)

When President-elect Joe Biden takes office in January (now that his victory is electoral college-official), he is going to inherit not just the COVID-19 scourge, but this unholy mess too.

Robert Hackett

Twitter: @rhhackett

robert.hackett@fortune.com

THREATS

Shot through the heart. The official death toll of the coronavirus pandemic exceeded 300,000 in the U.S. on Monday, the same day health workers began receiving the first doses of the emergency-approved Pfizer-BioNTech vaccine. A vaccine developed by biotech firm Moderna could become the second to receive FDA authorization this week. Walgreens and CVS Health executives say they expect to have COVID-19 shots available to the general public by early spring. 

Buns and thighs. The reviews for Apple's Fitness+ are in—and everyone seems to think it compares favorably to Peloton's more expensive workout service. Data Sheet's usual author and Apple guru, Aaron Pressman, says the exercise catalogue is well-designed, but the routines seem "best suited for beginners and intermediate exercisers, and not more advanced users." Speaking of fitness, Amazon's Halo fitness band is now available to the public. (I wonder what its privacy disclosure label might look like...)

On pins and needles. Pinterest reached a $22.5 million settlement with Françoise Brougher, its former chief operating officer. She alleged that she endured mistreatment and gender discrimination while working at the company. Pinterest admitted no liability as part of the deal. Meanwhile, a judge ruled that Uber has less than a month to pay a $59 million fine to California’s Public Utilities Commission for failing to answer questions over a safety report detailing thousands of alleged cases of sexual assault. The ride-hailing firm says it is protecting victims' privacy by not releasing more information. 

Aloha means "hello" and "goodbye." Larry Ellison, the cofounder, executive chairman, and tech chief of (future TikTok parent?) Oracle, is the latest tech billionaire to depart from California. After his company said it would relocate its headquarters to Austin, Texas, Ellison revealed in a letter to employees that he has taken up residence in Hawaii. He owns almost all of the island of Lanai.

Truly "doctored" photos.

ACCESS GRANTED

Content moderation has been an issue online since the earliest Internet forum days. It's practically a rite of passage for tech startups to get tangled up in users' harassment and censorship allegations. So it is with the invite-only social network Clubhouse, which critics say is inadequately policing people's behavior. Vanity Fair puts under the microscope some of the controversies already fomenting on the audio-centric app.

In the bubble that is Clubhouse, pseudo-intellectual monologues from powerful users can go unchecked, leaving them free to promote racist ideas under the guise of posing legitimate questions or playing devil’s advocate. It’s the type of dialogue that wouldn’t necessarily be flagged on Twitter or Facebook either, but that seems especially common on an app with relatively less scrutiny and relatively more big-name users, who may feel comfortable airing views that would likely get ratioed elsewhere. 

FORTUNE RECON

Disney’s profits on streaming services are expected to plunge—and investors love it by Geoff Colvin

Photos: U.S. health workers begin receiving COVID-19 vaccine by Alex Scimecca and Mia Diehl

Voting machine maker threatens to sue Fox News over conspiracy claims by Jeff John Roberts

TikTok, YouTube, Amazon targeted by FTC in privacy review by Ben Brody and David McLaughlin

After a blockbuster IPO, DoorDash’s challenge now is to deliver profits by Danielle Abril

(Some of these stories require a subscription to access.Thank you for supporting our journalism.)

ONE MORE THING

The family of Tony Hsieh, founder of the Amazon-owned e-commerce emporium Zappos, is having troubling piecing together the late entrepreneur's estate. Apparently, Hsieh, who died last month after sustaining injuries in a Connecticut house fire, left thousands of color-coded sticky-notes detailing financial commitments on the walls of his mansion in Park City, Utah, the Wall Street Journal reports. A sticky situation indeed; it sounds very much in keeping with Hsieh's famed management style.