According to a report by Der Spiegel (via Google Translate), the authorities are for now keeping mum on how the trove was discovered, but the publication did some research and believes that this discovery is correlated with a similar one from January, when the German Federal Office for Information Security (BSI) has notified users about the compromise of 16 million online user accounts, most of which belonged to German citizens.
In fact, they believe that the same criminals - possibly from the Baltic states - might have been involved in both cases.
According to the authorities, at least 3 of the total 18 million compromised accounts likely belong to German users, as most were opened with a major German e-mail provider. The rest includes accounts with several international providers.
Affected users will apparently be contacted and informed about it directly, and it's possible that the BSI will set up a website where users will be able to check whether their accounts have been compromised, as they did in January.
In the previous case, it was ultimately discovered that only 1.6 million of the 16 million accounts on the list were actually affected, but this time it seems that the information is more current, and some of the accounts are actively abused.