The Federal Office for Online Security (BSI), Germany's internet security agency, has said that millions of Germans have had their usernames and passwords stolen.

The agency added that up to 16 million Germans may have been affected, according to information forwarded to them by law enforcement agencies and research teams. Many of the targeted computers, BSI says, will likely have malware infecting their systems.

The organisation notes on its webpage that the breach itself was discovered during indepth research analysis of botnets.

A section of the BSI website was set up for German residents to check whether they had been compromised by the breach, but crashed from traffic overload almost immediately after its launch. Users who submit their emails to the website are sent follow-up emails if their accounts have been infected.

Accounts that had been compromised were from websites that used email addresses as usernames, including social media and online shopping sites. Half of those that had been compromised were DE top level domains, meaning that they are likely to have been registered in Germany.

A developing threat

BSI has so far declined to comment on who or what was the source of the hacking, or on details of how the breach had been discovered.

The German hack comes shortly after US retail giant Target found out that it had been compromised in what is the second largest data breach in American history, with 40 million credit and debit card details stolen.

German Social Democrat Party digital affairs officer Lars Klingbeil called for more investment in security research in the wake of the BSI revelation: "This case shows how the issue of online identity theft has developed, and that we probably have a lot to do in the future," he said to newspaper Tagesspiegel.

Despite the hack being disclosed publicly this week, the Mittledeutsche Zeitung newspaper reported that BSI had been aware of it since December.