The data theft was revealed by the Federal Office for Online Security (BSI) at the end of January but at the time it refused to give out further details.
Der Spiegel magazine reported on Sunday that email addresses and passwords for 600 government employees at every ministry were taken, alongside the 17 MPs.
The attack was carried out by eastern European criminals, according to Der Spiegel.
The BSI knew about the theft in August 2013, when they were warned by the Federal Office of Criminal Investigations (BKA), but only made it public in January.
It also set up a website where people could check if their email address was among the 16 million taken.
The theft was carried out through a "botnet" – a massive network of computers infected with malware.