​Dutch dev stole 20,000 passwords from websites he built for businesses

Netherlands Police is reaching out to potential victims via email this week after finding the cache of credentials on the seized laptop, which were used to illegally access victims’ email and social media accounts, commit fraud and identity theft.

The developer acquired the trove of credentials over several years from 140 websites he’d built for business customers in the Netherlands. Besides building e-commerce features, he’d planted a hidden script to capture their customers’ credentials for the online stores.

“Those credentials he then used to break into email and social media accounts of customers of those shops,” the police said.

It’s also reminded consumers to use different passwords for each online account, noting that in this case the man used logins he’d acquired from one online shop to access social media and email accounts.

The man’s motivation for running the racket was likely to feed his gambling addiction, according to police. He had used other people’s identity cards to register with online gambling sites, and used breached social media accounts to pose as family and dupe victims in to transferring money to an online payment service, which he then moved to credit cards and spent.

Police arrested the unnamed 35-year old developer in July after a two-and-a-half year investigation triggered by a report by a retailer over a single fraudulent order. The investigation was widened in mid-2016 after the scale of the fraud became clear. It then announced his arrest and activities in October, ahead of a court hearing.

Police say they’ve approached affected companies in the Netherlands, advising them to scan for the presence of the script. It also recommend using reputable web developers or to have the online shop vetted by someone other than the developer.

Scammers appear to have latched on to the plan to email victim accounts this week, with reports that people have received email that appear to be sent by the police with links in the body. Netherlands police noted the emails it’s sending this week contain no links as there's nothing to download.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags fraude-commercecyber securityscammersNetherlands Governmentdutch dev

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts