Last week, authorities in the German city of Verden reportedly discovered one of the country’s largest cases of identity theft, where up to 18 million email addresses and their associated passwords may have been stolen.
The city's public prosecutor has asked the country's Federal Office for Information Security (known by its German abbreviation BSI) for its help in notifying the affected users of the breach, according to a statement by the BSI. On Friday, the federal office said that it was working under "high pressure, so that affected internet users can be immediately informed".
The stolen identities were discovered in the context of an investigation into a botnet which is being used to send spam emails from stolen email addresses, according to the BSI. "The botnet is still in operation," according to a statement issued on Monday by the BSI, and "the stolen identities are being actively exploited."
Of the 18 million email users affected, three million are based in Germany. The BSI has been working in collaboration with email service providers in the country — including Deutsche Telekom, GMX, and Vodafone — to notify those who may be affected.
Because of strict privacy laws in the country, which require explicit permission for email contact, affected users can not be notified directly. Instead, they must log in to a special "safety test" website, where concerned users can enter their email address to check to see if it has been compromised.
The report comes less than three months after another case of widespread theft of email credentials in Germany.
In the earlier case, 16 million email addresses, usernames, and passwords were thought to have been stolen. At that time, the site that the BSI set up reportedly crashed under overwhelming demand.
The earlier theft was also discovered through an analysis of botnets, but it is unclear how — or if at all — the most recent case is linked to the previous attack. During the earlier case, it was reported that the attackers may have been from a Baltic state.