A list of 16 million email addresses and passwords has fallen into the hands of botnet operators, the German Federal Office for Information Security (BSI) said Tuesday.
It remained unclear though to what these login credentials provide access. They could be logins for mail accounts, Facebook accounts, Amazon accounts or other online services, said BSI Spokesman Tim Griese.
About half of the addresses are from the German .de domain, Griese said, adding that there are also French and .com addresses on the list.
Law enforcement agencies found the list of email addresses and passwords while analyzing several botnets. Only the list of email addresses was shared with the BSI, Griese said.
Users were invited to check their email address against the list by sending their address to the BSI using a website made specially for this purpose. Email addresses that are on the list will then receive an email with a code from the BSI.
The BSI couldn't simply email all the addresses on the list because under German law it is not allowed to send emails to people who did not ask to receive one, Griese said. An email from the BSI about compromised accounts might also be regarded as spam and deleted immediately, he said.
By creating an online tool the BSI circumvents this problem, Griese said, adding that this will hopefully also lead to more awareness of online security.
While the BSI said this was likely a case of large scale identity theft, Griese declined to discuss what the stolen login credentials were or could have been used for while the investigation continues. "We can't tell more about the background," Griese said, adding that for the same reason he couldn't disclose which botnets were involved.
Identity theft however is one of the biggest risks when using the Internet, the BSI said in a news release. Criminals steal identities to act on the behalf of Internet users by sending emails in their place, or shop at the expense of others or do harm to them in other ways, the BSI said.
Users whose account might have been compromised should check their computer for malware, the BSI Said. Because it is unclear at the moment what the stolen login credentials unlock, compromised users should also change all their passwords, Griese said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to email@example.com