Germany’s internet security agency said millions of Germans have had their passwords and usernames for websites stolen, with many of the targeted computers likely being infected with malware.

The Federal Office for Online Security (BSI) said the 16 million compromised accounts surfaced as a result of information forwarded to it by law enforcement agencies and research institutions.

Many of the compromised accounts have email addresses as their username, although social media users and online shopping portals were also targeted.

Agency spokesman, Tim Griese, said about half the accounts have .de domain-name endings, denoting German-based accounts, and it appears the majority of users are in Germany, AP reports.

The BSI has set up a web page where users can check whether their accounts were affected, although the site crashed soon after going live.

Citing an ongoing investigation, the agency did not say when the analysis of the illegal botnets – which are used to compromise computers with malicious software and cede control to a third party – was carried out, who might be behind the attack or what triggered the probe.