Police did not name the 20-year-old but said on Tuesday that he lives with his parents, is not a computer expert and had no previous convictions.
He was arrested after police searched a property in the central state of Hesse on Sunday evening.
Investigators recovered a computer the suspect had removed two days before the search and a data backup.
“The accused admitted to having acted alone in data spying and the unauthorised publication of data,” the Federal Crime Office (BKA) said in a statement.
“The investigations have so far provided no indication of the participation of a third party.”
Suspicion had fallen on Russian hackers – blamed for previous German data breaches, though denied by the Kremlin.
Georg Ungefuk, a spokesperson for the Frankfurt prosecution service’s internet crime office ZIT, told reporters the suspect was repentant and unaware of the full consequences of his actions.
“The accused said he published the data because he had been annoyed by certain statements made by those affected,” he said, without specifying which statements had prompted the backlash.
The suspect was released on Monday for lack of legal grounds that would justify keeping him in custody, such as a risk of collusion or flight risk.
Styling himself “G0d”, the student published private information about politicians, journalists, and celebrities on Twitter under the username @_0rbit throughout December.
Authorities say almost 1,000 people, including journalists and celebrities, were affected by the data breach.
In most cases, the information published online was limited to basic contact details, but in up to 60 cases more extensive personal data was made public.
Merkel’s fax number, email address and several letters to and from her were among the leaked data.
The information appeared to include data on members of all parties in the German parliament except those from the far-right Alternative for Germany party.
Heiko Loehr, head of cybersecurity at BKA, said it was too soon to say if the suspect was acting out of far-right sympathies.
“We are still investigating his motives and whether they may have been criminal or politically motivated,” he told reporters, adding that police were also working to confirm whether the suspect did indeed work alone.
Holger Muench, head of BKA, said the suspect apparently did not use malware but instead “hacking methods to overcome passwords”.
The suspect could face charges of illegally obtaining data and handling stolen data, which can carry a sentence of up to three years in prison for adults.
However, his case is being considered under juvenile law, which carries a lesser sentence.
The breach has prompted calls for tighter data security laws, especially after the BSI cyber defence agency said it was contacted by a legislator in early December about suspicious activity on private email and social media.