Police in the Netherlands are contacting more than 20,000 people who they suspect had their data stolen by a rogue web developer.
They say the man coded a backdoor into the sites he built for businesses, to harvest their customers' data.
He then used the credentials to make online purchases, open gambling accounts and impersonate victims' family members, police allege.
Credentials for more than 20,000 people were found on the suspect's computer.
"He has worked for various companies building websites with online shopping functionality," police said in a statement in October, when they first revealed their investigation.
"It is suspected that he was able to capture usernames and passwords by installing a special script."
The 35-year-old suspect was arrested last July and the investigation is continuing.
The police have emailed the people whose contact information was found on the suspect's computer, encouraging them to change their online passwords. They said it was not possible to identify whether all the credentials had been abused.
However, the force has also warned that opportunistic scammers are impersonating the police and are sending out rogue attachments.
The genuine email from the Dutch police did not have an attachment.
"Never download files in emails if you do not know the sender," the police force advised.