Huge cache of documents published daily in December but came to light only on Thursday

This article is more than 1 year old

This article is more than 1 year old

Sensitive data belonging to hundreds of German politicians, celebrities and public figures has been published online via a Twitter account in what is thought to be one of the largest leaks in the country’s history.

The huge cache of documents includes personal phone numbers and addresses, internal party documents, credit card details and private chats.

A government spokeswoman, Martina Fietz, said the leaks affected politicians of all levels including those in the European, national and regional parliaments. “The German government is taking this incident very seriously,” she said, adding that faked documents could be among the cache.

The documents were published online in December but only came to light on Thursday night.

Several letters to and from Angela Merkel were among the documents, revealing email addresses and a fax number, German media reported, though a government spokeswoman said no sensitive information from the chancellory was leaked. Cabinet members and the German president, Frank-Walter Steinmeier, were also among those affected.

Reports said all of the main German political parties except the far-right Alternative for Germany (AfD) had been hit.

Merkel’s Christian Democrats (CDU), their Bavarian sister party, the Christian Social Union (CSU), and the Social Democrats (SPD) spent Thursday night evaluating the scale of the damage and the authenticity of the documents, as did the liberal Free Democratic party, the Left party and the Greens.

Bild newspaper said the leaks contained data from 405 CDU-CSU politicians, 294 SPD politicians, 105 Greens, at least 82 Left party members and 28 FDP MPs.

That no AfD politician was affected prompted speculation that far-right sympathisers were behind the leaks.

The German Green party leader, Robert Habeck, was among those worst affected by the leaks as records of his personal chats with family members were reportedly posted online.

“You have to ask yourself where all this data comes from,” Michael Götschenberg, a reporter for ARD, who had seen part of the leaked cache, said on Friday. He said no politically sensitive data appeared to have been leaked but some “especially painful” personal chats relating to “family life” were among the documents he had seen.

Other reports said photos of ID cards, direct debit records and family photos were among the documents. The sheer range of data published means it likely came from multiple sources.

Much of the data is being treated as authentic, but there were suggestions some of it could have been faked. The SPD MP Florian Post told the German news agency dpa he had never seen at least one of the messages said to have come from his communications.

The leaks appeared on 1 December when the Twitter account @—0rbit began posting links on a daily basis in the style of an advent calendar.

German celebrities and journalists were initially targeted, including the TV personalities Jan Böhmermann and Christian Ehring, the actor Til Schweiger, the YouTube star LeFloid and the rapper Sido. From 20 December onwards the account started tweeting data from politicians.

The account, which was hastily shut down on Friday, purportedly had more than 18,000 followers. It described its activities as “security researching” and “satire and irony”, and said it was based in Hamburg.

A motive for the leaks remains unclear, as does how it could have stayed unnoticed for more than 10 days over the Christmas break. Spiegel reported that the Twitter account followed only a couple of others, including anonymousnews.ru, a site known for spreading far-right hate speech.

An interior ministry spokesman could not say whether the documents had been obtained via an external hacking attack on the German parliament or by an insider. “According to our current information, government networks have not been targeted,” Germany’s federal office for information security (BSI) tweeted on Friday.

One explanation floated by the interior ministry was that hackers had gained access to private email and social media accounts after obtaining a list of stolen passwords.

“After an initial analysis much evidence points towards the data being obtained through the improper use of login details to cloud services, email accounts or social networks,” the interior minister, Horst Seehofer, said in a statement on Friday. “Currently nothing points towards the system of the parliament or government having been compromised.”

Some of the leaked data could have been obtained during an earlier hacking attack on the German parliament. In 2015, the BSI shut down the parliamentary intranet for a spell after it emerged hackers had installed spyware on the system.

Last year, the government said a cyber-attack had targeted the foreign ministry’s computer network. At the time, both attacks were blamed on Russian hackers, accusations the Kremlin denies.

Security officials have in the past pointed the finger at APT28, a Russian hacking group experts say has close ties to a Russian spy agency and has been held responsible for an attack before the 2016 US presidential election.

The revelations on Friday triggered an emergency meeting of Germany’s national cyber-defence agency, a body set up by the BSI in 2016 to coordinate a response to online intrusions. German intelligence agencies have also asked for help from US intelligence in investigating the incident, said Bild.

German politicians expressed shock at the leaks and agreed that those behind them had intended to undermine public trust in democracy.

“Whoever is behind this wants to damage faith in our democracy and its institutions,” the justice minister, Katarina Barley, said in a statement.

“[Those] responsible want to intimidate politicians,” added the SPD secretary general, Lars Klingbeil. “That will not succeed.”