AMSTERDAM — Hackers who broke into a web security firm issued hundreds of bogus security certificates for spy agency websites including the CIA as well as for Internet giants like Google, Microsoft and Twitter, the Dutch government said Monday.

Information technology experts say they suspect the hackers were probably cooperating with the Iranian government, and hundreds of thousands of private communications between Iranian Internet users and Google were likely monitored in August.

Roel Schouwenberg of Internet security firm Kaspersky said Monday night that “a government operation is the most plausible scenario.”

The latest versions of browsers such as Microsoft’s Internet Explorer, Google’s Chrome and Mozilla’s Firefox are now rejecting certificates issued by the firm that was hacked, DigiNotar.

In a statement Monday, the Dutch government released findings that greatly expand the scope of the hacking attack that DigiNotar first acknowledged last week.

External IT experts reviewing DigiNotar’s computer systems said the hack may have begun in June, not July as DigiNotar had previously asserted.

The experts said it had affected access not only to Google, but included 531 fake certificates for some 344 domains including sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, Mozilla, TorProject, and WordPress, as well as spy agencies including the CIA, Israel’s Mossad and Britain’s MI6.

DigiNotar is one of many companies that sell the “SSL” security certificates widely used to authenticate websites and guarantee that communications between a user’s browser and a website are secure.

In theory, a fraudulent certificate can be used to trick a user into visiting a fake version of a website, or used to monitor communications with the real sites without users noticing.

But in order to actually pass off a fake certificate, a hacker must be able to steer his target’s Internet traffic through a server he controls.

That’s something that only an Internet service provider can easily do – or a government that commands one.

The external review by Fox-IT – a Dutch company, with offices in Aruba and Great Britain – found that one fake certificate for was used 300,000 times between its activation Aug. 4 and when it was revoked on Aug. 29.

Almost all usage came from Iran.

“The list of domains and the fact that 99 percent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” it concluded.