BERLIN — A 20-year-old German student took advantage of passwords as weak as “Iloveyou” and “1234” to hack into online accounts of hundreds of lawmakers and personalities whose political stances he disliked, officials revealed Tuesday, shaking Berlin’s political establishment and raising questions about data security in Europe’s leading economy.
Working from his computer in his parents’ home, the young man used relatively simple techniques to hack into successive accounts, the authorities said. There, he stole the users’ personal information and published it through Twitter over the course of December.
But it was not until late on Jan. 3 that an employee in the office of Andrea Nahles, leader of the center-left Social Democratic Party, finally noticed the hack and informed security officials, who then scrambled to track the source of the leaks.
At a time when Western officials are increasingly wary of digital interference in institutions and elections, and just months before European elections, the revelation of a widespread data breach that took a month to detect has prompted harsh assessments of the preparedness of a nation that for decades has prided itself on its technological prowess. The news that a single person, using unsophisticated methods, was responsible, only compounded those concerns.
On Tuesday, Chancellor Angela Merkel’s interior minister, Horst Seehofer, and senior security officials pushed back against accusations they had been too slow to respond or had failed in their mission to keep Germans safe online. They insisted they had organized a response within minutes of learning of the hack and said they had informed lawmakers about the risk of security breaches after a 2015 hack on the government network.
“This incident is painful, but our reaction shows the security of the German people is ensured around the clock, also in the cybersphere,” Mr. Seehofer told reporters.
Holger Münch, the head of Germany’s federal police, said the young man, whose identity was not released because he was being treated as a juvenile, had admitted during questioning to stealing the personal data of an array of public figures. Most of them are politicians, from all of Germany’s leading political parties — save for the far-right Alternative for Germany, or AfD.
“Based on our assessment so far, we believe he acted alone,” Mr. Münch told reporters, adding that so far, investigators had no evidence that the hacker had any affiliation with a political party or other groups. “He acted out of a general discontent with politicians, or journalists, or public figures, who he wanted to expose. That was his motive.”
The man was detained on Sunday on suspicion of spying and illegally publishing personal information, crimes that carry a sentence of up to three years each. But because he has no previous criminal record and is being treated as a juvenile, it is likely that he would receive a much lighter sentence.
He has since been released on grounds there was not sufficient reason to hold him in detention pending the outcome of the investigation, said Georg Ungefuk, a prosecutor with the Frankfurt-based office responsible for cybercrimes, which is carrying out the investigation.
Germany’s main government network was breached by hackers in 2015, and the authorities worried that information obtained then would be used against politicians leading up to the 2017 election. Those fears were largely unfounded, but Mr. Seehofer, the interior minister, warned that last month’s breach should be a warning to everyone, especially ahead of the European parliamentary election in May.
“We must be prepared that outside actors may want to influence this election and take every precaution to prevent this and do what we can to recognize such an action as early as possible,” he said. “It could be a very different perpetrator.”
Despite the shock that a single person was able to agitate and alarm the country’s political establishment, Mr. Münch pointed out that many young people had committed crimes from computers in their bedrooms, citing examples of teens who had been caught selling weapons or drugs over the “dark web,” areas of the internet hidden from the view of most users.
Dirk Engling, spokesman for the Chaos Computer Club, a German collective of hackers, said the hack itself wasn’t technically difficult, but required a great deal of patience in order to learn the necessary passwords.
He listed previous examples in Germany of such hacks where an individual’s private information was stolen for the purposes of publishing online, known in the tech world as “doxxing,” but pointed out that they had largely gone ignored by policymakers.
“Now that they have been snatched from their online accounts, suddenly it seems to have changed some minds,” Mr. Engling said.
The authorities said that on learning of the breaches on Jan. 3, they immediately began coordinating efforts to find the source and request that Twitter take down the offending account, which happened the following morning.
The Twitter account announced in November that the leaks were coming, and on Dec. 1 it began posting the data, but apparently few people noticed until weeks later. The authorities said they were still evaluating hard drives and personal papers confiscated in a raid on the man’s home.
Of the nearly 1,000 people whose information was leaked, 949 were politicians, roughly half of them from the governing Christian Democratic Union, Mr. Münch said. While some of the information published was already public, there were 116 cases of personal documents that were illegally made public, he said.
Opposition lawmakers and members of Ms. Nahles’ S.P.D., which governs in a coalition with the Christian Democrats, have criticized the country’s cybersecurity office and Mr. Seehofer for failing to discover the incursion earlier. The hacker released the information through links and passwords posted on Twitter in the form of an Advent calendar, where a window is opened each day leading up to Christmas, revealing a treat.
Early postings involved the personal information of rappers, journalists and YouTube video bloggers, but from Dec. 20, information on members of five of the six political parties with seats in the German Parliament was released. It was not clear why AfD politicians were spared.
The attack raised new questions about whether the government had structures in place to adequately help users safeguard their computers and sensitive personal information.
Katarina Barley, the justice minister, said her office was looking into whether it made sense to further tighten the country’s already strict privacy laws, or those requiring software providers and companies running internet platforms to respond more swiftly to requests for data to be taken down.
“We are examining whether tightening the laws would make sense or be necessary,” Ms. Barley said. She and Mr. Seehofer encouraged Germans to use strong passwords, avoid using the same password for multiple accounts and two-step verification to access to their online accounts as their best.
“It can happen anywhere,” said Mr. Engling said of hacks on personal information. “It’s easy to always blame the Chinese and Russia, but using private email for business or political matters makes you susceptible.”
Orignially published in NYT.