Nederlands
English
Deutsch
Français
Español
Português
What is the Odido Data Breach?
The Odido data breach represents one of the largest cybersecurity incidents in Dutch history, where the notorious hacker group ShinyHunters compromised sensitive customer data from the Netherlands' largest mobile telecommunications provider. The attack, which occurred in February 2026, exposed personal information of approximately 6.2 million current and former customers, including names, addresses, phone numbers, email addresses, dates of birth, and approximately 275,000 IBAN bank account numbers. The hackers demanded over €1 million in ransom and have now published 680,000 customer records on the dark web after their ultimatum expired.
Background: The ShinyHunters Threat
ShinyHunters is a black-hat criminal hacker and extortion group that first emerged in 2019, known for its 'pay or leak' ransomware tactics. The group has claimed responsibility for 91 successful attacks against major corporations including AT&T, Microsoft, Google, and now Odido. Their name derives from Shiny Pokémon hunting in video games, reflecting their methodical approach to data theft. According to cybersecurity experts, ShinyHunters primarily uses voice-based social engineering (vishing) tactics, where criminals pose as IT helpdesk staff to trick employees into sharing passwords and authentication codes. The group has evolved to use deepfakes and AI voice cloning, making attacks harder to detect.
Similar to the 2024 Santander data breach that affected 30 million customers, the Odido attack demonstrates how sophisticated hacking groups are targeting telecommunications providers for their vast repositories of sensitive customer information. The group has reportedly merged with other threat actors like Scattered Spider and Lapsus$, expanding their operational capabilities.
The Attack Timeline and Data Compromised
How the Breach Unfolded
The attack was discovered over the weekend of February 7-8, 2026, when Odido's customer contact system was compromised. The company initially reported that 6.2 million customers were affected, but ShinyHunters claimed to possess information on more than 10 million current and former customers. The hackers gained access through social engineering by impersonating IT staff, a tactic that has become increasingly common in corporate cybersecurity attacks.
What Data Was Stolen
- Full names and physical addresses
- Email addresses and phone numbers
- Dates of birth and ID document details
- Approximately 275,000 IBAN bank account numbers
- Sensitive internal notes about financially vulnerable customers
- Customer service records and account information
On February 17th, 2026, it was revealed that Odido retained private customer data for much longer than their stated two years, with some prior customers having their personally identifiable information compromised even though they had switched away from Odido reportedly five to ten years before the leak.
The Ransomware Dilemma: To Pay or Not to Pay?
Cybersecurity expert Lisa de Wilde summarized the impossible choice facing Odido: 'Er is geen goede keuze te maken. Als je niet betaalt, weet je vrijwel zeker dat gegevens op straat komen. Betaal je wel, dan is het maar de vraag of criminelen hun belofte nakomen.' (There is no good choice to make. If you don't pay, you almost certainly know that data will be published. If you do pay, it's questionable whether criminals will keep their promise.)
Odido ultimately refused to pay the ransom, leading ShinyHunters to publish 680,000 customer records on the dark web. The hackers have threatened to release additional data over the next 16 days if their demands aren't met. This decision aligns with recommendations from cybersecurity authorities who advise against paying ransoms, as it doesn't guarantee data won't be resold and may lead to further blackmail.
Impact and Implications
For Affected Customers
The breach puts millions of Dutch citizens at risk of identity theft, financial fraud, and targeted phishing attacks. Cybersecurity experts warn that stolen information can reappear in other leaks even after payment, creating long-term risks for affected individuals. The Dutch Data Protection Authority has been notified, and the Public Prosecution Service has launched a criminal investigation into the breach.
For Corporate Cybersecurity
The Odido breach highlights critical vulnerabilities in telecommunications infrastructure and the need for enhanced security measures. According to recent statistics, data breaches in the Netherlands cost an average of €2,654 per record, significantly higher than the global average of €154. The incident underscores the importance of implementing employee training, additional verification methods, and phishing-resistant multi-factor authentication.
Similar to the Maastricht University ransomware attack that resulted in a €197,000 payment, the Odido case demonstrates how social engineering attacks are increasingly bypassing perimeter defenses by targeting employees directly.
FAQ: Odido Data Breach Questions Answered
What should affected customers do?
Affected customers should monitor their bank accounts for suspicious activity, enable two-factor authentication on all accounts, be vigilant against phishing emails, and consider placing fraud alerts with credit bureaus.
How did ShinyHunters breach Odido's systems?
The hackers used voice-based social engineering (vishing) by impersonating IT helpdesk staff to trick employees into sharing passwords and authentication codes, a tactic that has become increasingly sophisticated with AI voice cloning technology.
Is my password safe in this breach?
Odido has stated that passwords were not compromised in this breach, though customers should still change their passwords as a precautionary measure and avoid reusing passwords across multiple services.
What legal actions are being taken?
The Dutch Public Prosecution Service has launched a criminal investigation, and Odido has reported the incident to the Dutch Data Protection Authority, which could result in significant fines under GDPR regulations.
How can companies prevent similar attacks?
Organizations should implement comprehensive employee security training, use phishing-resistant multi-factor authentication, regularly audit third-party vendor security, and establish incident response plans for data breaches.
Sources
NL Times: Hackers publish 680,000 Odido customer records
Techzine: Odido refuses to pay ransom
Wikipedia: ShinyHunters hacker group
The Register: Odido breach affects 6.2 million customers
