NEW YORK (AP) — Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, obtaining credit card and passport numbers and other personal data, the company said Friday as it acknowledged one of the largest security breaches in history.

None of the Marriott-branded chains were threatened.

The full scope of the failure was not immediately clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times.

It was also unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.

The crisis quickly emerged as one of the largest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

Security analysts were alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also included.