A spokesman for the firm confirmed media reports that the personal data of online customers had for an unspecified time found their way onto the internet and were available to any web user.
However, account numbers and passwords were never vulnerable, the spokesman said.
The mistake had not been Schlecker's but rather had been made by an external service provider, he said. The error had since been fixed and the data no longer available online.
Daily Bild reported that the first and second names, the addresses, genders, email addresses and customer profiles were all accessible. A further 7.1 million email addresses of customers receiving the firm's newsletter were also available, the paper reported.
Schlecker was now investigating how the breach had occurred.
“We are in close contact with our service provider,” the Schlecker spokesman said.
Data protection specialist Tobias Huch, who discovered the data online, said: “We stumbled on this data breach by accident. Then we realized: this is no data leak, this is a wide-open door.”
The information was available from any regular computer, the paper reported. It could have been used by criminals masquerading as Schlecker to defraud customers, Huch said.
“They would write to the customers in the name of Schlecker – directly over the publicly available mail server. The customer would trust the correspondent, thinking, “Yes, it's Schlecker.” They would make purchases and hand over their bank details.”
Burkhardt Müller-Sönksen, media expert in the parliamentary group of the pro-business Free Democrats, said: “It's a scandal that this sensitive data can be made available. That is grossly negligent, a violation of the data protection regulations.”