Update Dutch police are this week warning 20,000 users that their email accounts were hacked after a malicious web developer left backdoors in the sites he built.
Cops found the credentials in the un-named 35-year-old man's email account and say he used the stolen personal details to open accounts, convince family members to transfer money, and make online purchases. Some of the identity abuses are impossible to trace, police say.
The Leeuwarden man established himself as a legitimate webmaster building ecommerce sites, but used the backdoor to steal customer logins.
"Various companies used him to build sites with web shop functionality," police say (Dutch).
"The man was able to capture usernames and passwords by installing a special script.
"He then used those credentials to break into email and social media accounts of customers of those shops."
The man was arrested last year after a 2014 police operation gradually expanded in scope as the extent of his crimes was realised.
He used stolen social media accounts to convince victims' family members to transfer money to him and opened accounts on online gambling sites with personal information he acquired.
Police are now warning (Dutch) victims to check their accounts and change email passwords, and have alerted website admistrators to search for the backdoor script he implanted.
They also warn webmasters to employ trustworthy web developers since such backdoors are easy to place. ®
Updated to add
Dutch police have warned that there is already a fake email with an attachment containing some of the usual nasties that is doing the rounds. The police's communications will not contain any download links or attachments, they advised. They added: "Never download files in emails if you do not know the sender."