Millions of accounts containing passwords and email addresses were hacked by an unknown group, the Federal Office for Online Security (BSI) said on Tuesday.
But BSI President Michael Hange told Bayerischer Rundfunk radio victims were only now being told because authorities had needed time to make preparations.
That included setting up a website where people can check whether their details were among those stolen. The site, which went live on Tuesday, quickly crashed as 300,000 internet users attempted to see if their email addresses were among the ones hacked.
"We needed time to set up a process in line with data protection regulations and we also worked together with a provider," Hange said.
BSI said it had handled around 12. 6 million online queries and informed 884,000 affected users in Germany by Wednesday.
Justice Minister Heiko Maas, who is also responsible for consumer protection, has described the scale of the hack as "incomprehensible."
However he steered clear of laying blame on authorities for not making the hacking public sooner, stating he was "not familiar with such processes."
But he added: "If a tip is received and there is even a small chance that it's to be taken seriously, that must be communicated quickly."
"It's not just a case of computers being infected but about the theft of entire digital identities," Hange told the Tagesspiegel newspaper.
And Interior Minister Thomas de Mazière praised the BSI's "well-prepared operation".
The BSI said the theft had was discovered by criminal investigators but declined to say how or which authority had conducted the probe.
If the site does match the users email address as one of the 16 million stolen, then the BSI said the users computer was likely infected with malicious software.
Half of the accounts ended in .de meaning they were German-based, Tim Griese from Frankfurt-based BSI said on Tuesday.
Affected users are being warned to change all of their associated passwords, including those used to access social networks and for shopping online.
"In principle every form of abuse of data is possible," Thilo Weichert, Schleswig-Holstein state data protection officer, told the Berliner Zeitung. "We need to take this very seriously."