As far as I have heard and read, there is no known exploit or backdoor into the individual NATS installations each affiliate program has. The hacker simply obtained a list of user/password combinations for each affiliate system and used that to enter each system. So the hacker had info to all the info any administrator/program owner of that NATS system would have access to (in other words, all info affiliates provided to the program when they signed up, and limited info, such as name and address and logins) about members.

The reason that some have said that info such as SSN or TIN and bank account info may be at risk is because most programs require affiliates to list a TIN or SSN when they sign up so that affiliates can be sent proper 1099 information at the end of each year. So any information entered by an affiliate into a NATS-based affiliate tracking system used by a given sponsor would, potentially, have been available to the hacker.

I am not sure why people seem to think this information (SSN, etc) is not at risk; it would seem to me that a hacker logging into a system and grabbing info would grab anything that could potentially be useful, rather than just an email address. A SSN and legal name, address, and banking info (if the affiliate is paid by wire transfer) would certainly be valuable.

I think the basis for saying no other info was taken is that, so far, no one has any identifiable identity theft cases that appear correlated to NATS... but then again, I doubt anyone has had any time to seek correlations. I suspect this issue will be unfolding for quite a while yet, and so the real answer as to identity theft risk may not yet be known.