BERLIN — A 20-year-old German scholar took benefit of passwords as weak as “Iloveyou” and “1234” to hack into on-line accounts of lots of of lawmakers and personalities whose political stances he disliked, officers revealed Tuesday, shaking Berlin’s political institution and elevating questions on knowledge safety in Europe’s main financial system.
Working from his pc in his mother and father’ dwelling, the younger man used comparatively easy strategies to hack into successive accounts, the authorities mentioned. There, he stole the customers’ private data and revealed it by means of Twitter over the course of December.
But it was not till late on Jan. three that an worker within the workplace of Andrea Nahles, chief of the center-left Social Democratic Party, lastly seen the hack and knowledgeable safety officers, who then scrambled to monitor the supply of the leaks.
At a time when Western officers are more and more cautious of digital interference in establishments and elections, and simply months earlier than European elections, the revelation of a widespread knowledge breach that took a month to detect has prompted harsh assessments of the preparedness of a nation that for many years has prided itself on its technological prowess. The information single individual, utilizing unsophisticated strategies, was accountable, solely compounded these issues.
On Tuesday, Chancellor Angela Merkel’s inside minister, Horst Seehofer, and senior safety officers pushed again towards accusations they’d been too sluggish to reply or had failed of their mission to preserve Germans secure on-line. They insisted they’d organized a response inside minutes of studying of the hack and mentioned they’d knowledgeable lawmakers concerning the danger of safety breaches after a 2015 hack on the government network.
“This incident is painful, but our reaction shows the security of the German people is ensured around the clock, also in the cybersphere,” Mr. Seehofer told reporters.
Holger Münch, the head of Germany’s federal police, said the young man, whose identity was not released because he was being treated as a juvenile, had admitted during questioning to stealing the personal data of an array of public figures. Most of them are politicians, from all of Germany’s leading political parties — save for the far-right Alternative for Germany, or AfD.
“Based on our assessment so far, we believe he acted alone,” Mr. Münch told reporters, adding that so far, investigators had no evidence that the hacker had any affiliation with a political party or other groups. “He acted out of a general discontent with politicians, or journalists, or public figures, who he wanted to expose. That was his motive.”
The man was detained on Sunday on suspicion of spying and illegally publishing personal information, crimes that carry a sentence of up to three years each. But because he has no previous criminal record and is being treated as a juvenile, it is likely that he would receive a much lighter sentence.
He has since been released on grounds there was not sufficient reason to hold him in detention pending the outcome of the investigation, said Georg Ungefuk, a prosecutor with the Frankfurt-based office responsible for cybercrimes, which is carrying out the investigation.
Germany’s main government network was breached by hackers in 2015, and the authorities worried that information obtained then would be used against politicians leading up to the 2017 election. Those fears were largely unfounded, but Mr. Seehofer, the interior minister, warned that last month’s breach should be a warning to everyone, especially ahead of the European parliamentary election in May.
“We must be prepared that outside actors may want to influence this election and take every precaution to prevent this and do what we can to recognize such an action as early as possible,” he said. “It could be a very different perpetrator.”
Despite the shock that a single person was able to agitate and alarm the country’s political establishment, Mr. Münch pointed out that many young people had committed crimes from computers in their bedrooms, citing examples of teens who had been caught selling weapons or drugs over the “dark web,” areas of the internet hidden from the view of most users.
Dirk Engling, spokesman for the Chaos Computer Club, a German collective of hackers, said the hack itself wasn’t technically difficult, but required a great deal of patience in order to learn the necessary passwords.
He listed previous examples in Germany of such hacks where an individual’s private information was stolen for the purposes of publishing online, known in the tech world as “doxxing,” but pointed out that they had largely gone ignored by policymakers.
“Now that they have been snatched from their online accounts, suddenly it seems to have changed some minds,” Mr. Engling said.
The authorities said that on learning of the breaches on Jan. 3, they immediately began coordinating efforts to find the source and request that Twitter take down the offending account, which happened the following morning.
The Twitter account announced in November that the leaks were coming, and on Dec. 1 it began posting the data, but apparently few people noticed until weeks later. The authorities said they were still evaluating hard drives and personal papers confiscated in a raid on the man’s home.
Of the nearly 1,000 people whose information was leaked, 949 were politicians, roughly half of them from the governing Christian Democratic Union, Mr. Münch said. While some of the information published was already public, there were 116 cases of personal documents that were illegally made public, he said.
Opposition lawmakers and members of Ms. Nahles’ S.P.D., which governs in a coalition with the Christian Democrats, have criticized the country’s cybersecurity office and Mr. Seehofer for failing to discover the incursion earlier. The hacker released the information through links and passwords posted on Twitter in the form of an Advent calendar, where a window is opened each day leading up to Christmas, revealing a treat.
Early postings involved the personal information of rappers, journalists and YouTube video bloggers, but from Dec. 20, information on members of five of the six political parties with seats in the German Parliament was released. It was not clear why AfD politicians were spared.
The attack raised new questions about whether the government had structures in place to adequately help users safeguard their computers and sensitive personal information.
Katarina Barley, the justice minister, said her office was looking into whether it made sense to further tighten the country’s already strict privacy laws, or those requiring software providers and companies running internet platforms to respond more swiftly to requests for data to be taken down.
“We are examining whether tightening the laws would make sense or be necessary,” Ms. Barley said. She and Mr. Seehofer encouraged Germans to use strong passwords, avoid using the same password for multiple accounts and two-step verification to access to their online accounts as their best.
“It can happen anywhere,” said Mr. Engling said of hacks on personal information. “It’s easy to always blame the Chinese and Russia, but using private email for business or political matters makes you susceptible.”