In a staggering incident for Dutch telecommunications, Odido and its budget subsidiary, Ben, fell victim to a significant data breach orchestrated by the hacker group ShinyHunters. This breach, affecting more than 6.5 million current and former customers, has been labeled one of the largest data exposures in the Netherlands.
The attack was methodical, occurring over the weekend of February 7-8, 2026. Hackers executed a complex social engineering scheme using phishing emails and impersonated IT staff to bypass multi-factor authentication, eventually gaining access to Odido's Salesforce customer contact system. "They utilized a multi-stage social engineering tactic against Odido," said a cybersecurity analyst noting the sophistication of the operation.
"They utilized a multi-stage social engineering tactic against Odido,"
By the Numbers
The issue escalated when Odido publicly declined to meet the ransom demand set by the attackers, which was described as a "low seven-figure" sum. Following their refusal, ShinyHunters made good on their threats, commencing waves of leaks before fully publishing the dataset to the dark web on March 1, 2026. Initial reports estimated 6.2 million victims, but the finalized breach record holds data for over 6.5 million individuals, alongside sensitive records from 600,000 companies, including diplomats and high-profile administrators.
"low seven-figure"
Data leakage in this breach included more than just names and addresses. Information such as bank account details (IBANs), birth dates, and identifying metadata from passports and driver's licenses was exposed. Additionally, sensitive internal customer service notes raised significant privacy concerns.
Regarding the size and scale of the breach, a corporate executive remarked, "This is a major breach affecting millions of Dutch citizens, and the repercussions could last for years due to the nature of the data exposed."
The hacker group ShinyHunters, known for high-profile attacks in the past on organizations like Ticketmaster and Microsoft, operated with surgical precision against Odido. They initially acquired access by stealing passwords from customer service employees through phishing. They then used these stolen credentials to manipulate staff into granting further access under false pretenses as IT personnel. "This allowed them to scrape the Salesforce database undetected for 48 hours," noted the cybersecurity expert monitoring the breach.
"This allowed them to scrape the Salesforce database undetected for 48 hours,"
The ramifications for Odido's clientele are severe. Personal information, including residence permits and detailed service notes, poses heightened risks. "With sensitive notes about personal dealings and payment disputes now public, the potential for targeted spear-phishing increases significantly," explained a privacy advocate. Moreover, the financial implications are troubling, as exposed IBANs can facilitate unauthorized transactions, adding to the potential for identity fraud.
"With sensitive notes about personal dealings and payment disputes now public, the potential for targeted spear-phishing increases significantly,"
For affected Odido customers, immediate action is paramount. Individuals who have been customers in the last ten years are likely included in the breach. "If someone calls you regarding past billing issues, hang up immediately—it's likely a phishing attempt using your leaked notes," advised cybersecurity professionals to concerned users.
"If someone calls you regarding past billing issues, hang up immediately—it's likely a phishing attempt using your leaked notes,"
To mitigate risks, it is recommended that customers regularly monitor banking activity for suspicious transactions, change verification words, and remain vigilant against unsolicited communications. "Change your 'Verification Word' immediately to protect yourself," urged a data security specialist emphasizing the importance of proactive measures.
"Change your 'Verification Word' immediately to protect yourself,"
Following the breach, Odido reported the incident to the Dutch Data Protection Authority (AP) and has since implemented measures to secure the compromised systems. The situation has ignited national discussions on the safety of 'human-in-the-loop' systems and the necessity of safeguarding sensitive identification information within customer support frameworks. In this climate of heightened awareness, Odido, as the largest mobile service provider in the Netherlands, faces significant pressure to restore trust among its users and bolster its security protocols moving forward. The breach not only raises questions about the company's internal security measures but also prompts a larger conversation about the potential consequences of inadequate defense systems in a digital-first world.