Hiring a developer to build your website is always a bit of a minefield. There’s just so much that can go wrong, especially if you pick a developer that isn’t qualified or competent. Or just plain untrustworthy.

One example of this comes from the Netherlands, where law enforcement are warning 20,000 people that their email accounts may have been hacked after an unnamed web developer left backdoors in the sites he built.

According to The Register, a 35-year-old from Leeuwarden used the personal information he stole from his customers to open gambling accounts, as well as convince friends and relatives of the victims to transfer money and make online purchases on his behalf.

A notice published by Dutch police says that “Various companies used him to build sites with web shop functionality.”

The criminal then installed a custom script that allowed him to harvest usernames and passwords. He then used them to break into the email and social media accounts of his victims.

The man was arrested last year after a related investigation from 2014 exposed the extent of his crimes.

Dutch police have alerted website administrators to search for the backdoor script he employed, and to employ only trustworthy web developers.

In addition, they’re encouraging victims to check their accounts and change their email passwords. It’s probably a good idea to set up two-factor authentication, too.

Dodgy Dutch developer built backdoors into thousands of sites on The Register

Read next: The new Xbox guide lets you switch seamlessly between games and apps