Up to 300,000 Iranians may have had their Google email monitored using security certificates stolen from Dutch firm DigiNotar.
The figure came from a report into the breach at DigiNotar which let attackers generate hundreds of fake certificates.
The report suggests the certificates were used in Iran to eavesdrop on email accounts.
The list has been passed to Google so it can tell victims they may have come under government scrutiny.
On 30 August, security firm Fox-IT was called in to analyse the sequence of events at DigiNotar that led to the security breach. It published its interim report late on 5 September.
DigiNotar is one of many firms which help to ensure that no-one is eavesdropping on secure communications between users and the sites they visit.
It does this via security certificates which act as a guarantee of identity so people can be sure they are connecting to the site they think they are.
Anyone armed with a rogue certificate for a web firm or service can impersonate that organisation and get at communications that would otherwise be impossible to read because they are encrypted.
DigiNotar first took action to revoke fake security certificates on 19 July when it found that hackers had got access to its internal network.
The Fox-IT report suggests that the hackers were able to access those internal systems for a month before DigiNotar took action.
The first exploration by the hackers took place on 6 June, suggests the report, and the first rogue certificates were issued on 10 July.
"The network has been severely breached," said the report. It said security procedures at DigiNotar were clearly lacking because the tools the hackers used and installed on network computers can be detected by standard anti-virus software.
All evidence gathered by Fox-IT suggests that the attacks were carried out to help surveillance of Iranian net users. More than 99% of the 300,000 IP addresses known to have connected to Google's email service with the help of a fake security certificate are in Iran.
Fox-IT noted that the use of the fake certificates would also have given attackers access to small text files known as cookies that Google and many others use to recognise regular visitors.
As a result, Fox-IT said: "It would be wise for all users in Iran to at least logout and login but even better change passwords."
DigiNotar has called on the Dutch government to help it recover following the attack. In its wake Google and many others have issued updates to ensure that the fake certificates are no longer recognised.
DigiNotar is the second security certificate firm to suffer at the hands of hackers. In March 2011, Comodo revealed that it had been hit and pointed the finger at Iran.
Now evidence is emerging that the same hackers were behind both attacks according to a message posted to the pastebin website. In the message, the hacker or hackers claim to have access to four other security certificate firms.