Nederlands
English
Deutsch
Français
Español
Português
Odido Data Breach: Hackers Release 6.2M Customer Records in Fourth Day of Leaks
The ShinyHunters hacking group has escalated their attack on Dutch telecommunications giant Odido, releasing what appears to be the largest batch of stolen customer data yet in the fourth consecutive day of leaks. This massive data breach, affecting 6.2 million current and former customers, represents one of the most significant cybersecurity incidents in Dutch history and highlights the growing threat of ransomware attacks on critical infrastructure.
What is the Odido Data Breach?
The Odido data breach is a major cybersecurity incident involving the theft of personal information from 6.2 million customer accounts at Netherlands' largest mobile phone company. Hackers from the notorious ShinyHunters group infiltrated Odido's customer service system (Salesforce) in early February 2026, compromising sensitive data including names, addresses, bank account numbers, and identification document details. Since Odido publicly refused to pay a 500,000 euro ransom demand on Thursday, the hackers have been systematically releasing portions of the stolen data online each day.
Timeline of the Attack and Data Releases
Initial Breach and Discovery
The cyberattack occurred in early February 2026, though Odido reportedly didn't discover the breach until the hackers made it public. The company, formerly known as T-Mobile Netherlands before rebranding to Odido in September 2023, serves approximately 6.9 million customers across the country. The breach exposed data from both current subscribers and former customers, with some information dating back 5-10 years despite Odido's stated two-year data retention policy.
Daily Data Dumps Begin
Following Odido's refusal to pay ransom on Thursday, February 26, 2026, ShinyHunters began their systematic data release campaign:
- Day 1 (Thursday): Initial data release with basic customer information
- Day 2 (Friday): Additional customer records with contact details
- Day 3 (Saturday): More comprehensive data including addresses
- Day 4 (Sunday): Largest release yet, potentially containing millions of records
The hackers' Sunday release included a renewed demand for payment, stating: 'Make the right decision, don't be the next newspaper headline and pay the ransom.'
What Data Was Stolen?
The compromised information represents a treasure trove for identity thieves and fraudsters:
| Data Type | Estimated Quantity | Risk Level |
|---|---|---|
| Full Names | 6.2 million | High |
| Physical Addresses | 6.2 million | High |
| Email Addresses | 6.2 million | Medium |
| Phone Numbers | 6.2 million | Medium |
| Bank Account Numbers (IBAN) | Millions | Critical |
| Identification Documents | 5 million unique | Critical |
| Dates of Birth | 6.2 million | High |
The identification documents include passport numbers, driver's license information, and residence permit details, making this breach particularly dangerous for identity theft. Similar to the 2025 European banking data breach, this incident exposes sensitive financial information that could be used for fraudulent transactions.
Who Are the ShinyHunters?
ShinyHunters is a notorious cybercrime group that emerged in 2020 and has claimed 91 successful attacks to date. The group specializes in voice-based social engineering (vishing), where they impersonate IT helpdesk staff to trick employees into sharing passwords and authentication codes. Unlike traditional hacking groups, ShinyHunters often collaborates with other threat actors like Scattered Spider and Lapsus$, recently rebranding as Scattered Lapsus$ Hunters and offering ransomware-as-a-service.
The group has targeted major international companies including Qantas, Pandora, Adidas, Chanel, AT&T, and most recently CarGurus. Their primary motivation is financial gain, though they also seek to cause reputational damage to companies that refuse their demands. Experts in cybersecurity threat intelligence note that ShinyHunters typically publishes extortion messages publicly rather than negotiating privately, increasing pressure on victim organizations.
Implications for Affected Customers
Immediate Risks
With 6.2 million individuals affected, the breach creates significant risks:
- Identity Theft: With 5 million identification documents compromised, criminals can create fake identities
- Financial Fraud: Bank account numbers enable unauthorized transactions
- Phishing Attacks: Email and phone data facilitate targeted scams
- Account Takeovers: Combined data enables password resets on other services
Long-Term Consequences
The breach may have lasting effects similar to the Dutch privacy regulation violations seen in previous years. Customers could face years of monitoring their financial accounts and dealing with identity theft attempts. The exposure of data from former customers raises questions about data retention practices in the telecommunications industry.
What Should Affected Customers Do?
If you're an Odido customer or former customer, take these immediate steps:
- Check Your Exposure: Visit Have I Been Pwned to see if your email appears in breach databases
- Monitor Accounts: Watch bank statements for unauthorized transactions
- Change Passwords: Update passwords on Odido and any accounts using similar credentials
- Enable 2FA: Activate two-factor authentication wherever possible
- Report Suspicious Activity: Contact your bank and the Dutch Data Protection Authority
Regulatory and Legal Implications
The breach places Odido at risk of significant GDPR penalties. Under European data protection regulations, companies can face fines of up to 4% of global annual turnover or €20 million, whichever is higher. Given the scale of this breach and the sensitive nature of the data, Odido could face one of the largest fines in Dutch history.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has likely opened an investigation, and affected customers may pursue class action lawsuits. The breach also raises questions about data retention practices, as former customers from 5-10 years ago were affected despite Odido's stated two-year retention policy.
FAQ: Odido Data Breach Questions Answered
How do I know if I'm affected by the Odido breach?
If you're a current or former Odido (or T-Mobile Netherlands) customer from the past decade, assume you're affected. Check the Have I Been Pwned website with your email address used for Odido services.
What should I do if my bank account number was exposed?
Contact your bank immediately to flag potential fraud, monitor transactions daily, and consider requesting new account numbers if your bank recommends it.
Can Odido be fined for this data breach?
Yes, under GDPR regulations, Odido could face substantial fines from the Dutch Data Protection Authority for failing to protect customer data adequately.
Why didn't Odido pay the ransom?
Most cybersecurity experts and law enforcement agencies advise against paying ransoms as it encourages further attacks and doesn't guarantee data won't be leaked anyway.
How can I protect myself from future data breaches?
Use unique passwords for each service, enable two-factor authentication, monitor your accounts regularly, and consider using a password manager to generate strong credentials.
Sources
NL Times: Hackers publish full cache of stolen Odido customer data
Reuters: Hacking group begins leaking customer data from Dutch telecom Odido
CyberNews: ShinyHunters leak Odido customer records
The Independent: ShinyHunters hacking group profile
