US officials assured the hack victims of that massive data breach of federal government workers that technology did not exist to misuse stolen fingerprints, but two researchers just changed that.

Michigan State University researchers Kai Cao and Anil Jain have mastered the art of recreating a fingerprint, rendering common cellphone security measures useless, as announced in a paper published last month. While the researchers aren’t the first to fake fingerprints, their simple method can easily be replicated in any home office.

The revelation is troubling, coming only months after the Office of Personnel Management notified 5.6 million people that hackers had copied their fingerprints in a massive government data breach. At the time, OPM promised that “federal experts believe that, as of now, the ability to misuse fingerprint data is limited.”

OPM warned, however, that the possibility that fingerprint records could be used illicitly on a wide-scale “could change over time as technology evolves.” As Kai Cao and Anil Jain’s research shows, the technology has, in fact, changed.

How Did The Researchers Streamline Recreating Fingerprints?

Cao and Jain began by installing special ink cartridges and paper into a Brother inkjet printer, such as one you might find in many home offices. The ink conducts electricity when printed on specialized paper, creating a printed circuit. The researchers then scan a fingerprint in high resolution, mirror it, and print it.

Using this simplified fingerprint-spoofing method, researchers then placed the fake print onto fingerprint readers for two popular Android phones, a Samsung Galaxy S6 and a Huawei Hornor 7. Although both phones were designed to unlock only if the owner uses their finger, the fake print fooled readers for both devices.

The announcement, however, is particularly troubling because fingerprints aren’t only for unlocking smartphones, but they are also used to authorize financial transactions. Unlike a compromised password, a compromised fingerprint cannot be reset. That is dire news for the 5.6 million OPM hack victims who may never again have sole ownership of their financial records.