Hackers stole two million tonnes of polluting rights in a five-day raid this week on the European Union's carbon emissions trading system, an EU source said on Thursday.
The volume of carbon credits stolen in online action, which a European Commission spokeswoman was "possibly concerted", represents just a fraction of global industrial greenhouse gas permits, but is potentially worth many millions of euros.
The scale of the theft, which involved five unnamed EU states, was revealed a day after Brussels shut all 27 national trading registries for a week, citing inadequate online protection.
Credits stolen just from the Czech Republic were worth seven million euros.
Fourteen of the 27 European Union states need to boost their online security to minimum standards, the spokeswoman said.
The EU Emission Trading Scheme (ETS) is the largest multinational, greenhouse gas emissions trading scheme in the world, but has repeatedly suffered security breaches.
Maria Kokkonen, spokeswoman for Danish EU climate action commissioner Connie Hedegaard, did not list the countries immediately, but said powerhouse Germany was not among them as it had already reinforced security after a previous attack.
"We very much hope that this series of incidents speeds up the process" of tightening security ahead of a planned switch to an EU-wide registry in 2013.
"The sooner states take security measures, the sooner we can reopen the system," she stressed.
Last year a series of emails sent to trick users into divulging their passwords, a type of attack known as "phishing," sparked panic and forced a halt in trading in numerous countries.
The European police organisation Europol estimate a value added tax (VAT) scam on carbon credits in 2008 and 2009 netted criminals five million euros.
Explore further: EU energy policy encounters difficulties