The BSI said 16 million accounts containing passwords and email addresses had been compromised, according to information passed to it by law enforcement agencies and research institutions.
Authorities have set up a website where internet users can check if they have been affected, but the site crashed soon after it went up on Tuesday.
If the site does match the users email address as one of the 16 million stolen, then the BSI said the users computer was likely infected with malicious software.
Half of the accounts ended in .de meaning they were German-based, Tim Griese from the Frankfurt-based office said.
The theft was revealed in an analysis of illegal botnets – a collection of programmes which are used to breach a computer’s security and give access to a third party.
The hijacked computers are often infected with malicious software without the knowledge of users.
The BSI refused to give details on the source of the information, but advised victims to digitally clean their computer and change access to their online profiles.