ShinyHunters Claims Large-Scale Data Theft From Dutch Telecom Odido
ShinyHunters has claimed responsibility for breaching Dutch telecommunications provider Odido (and brand BEN) and stealing a much larger dataset than the company initially indicated. Odido previously disclosed that attackers accessed its customer contact system and downloaded customer data, reporting the incident to the Dutch Data Protection Authority, cutting off attacker access, and bringing in external incident-response support. Odido said the exposed data varied by customer and could include identifiers and contact details such as name, address, mobile number, customer number, email address, IBAN, date of birth, and some ID details (e.g., passport/driver’s license numbers and validity), while stating that Mijn Odido passwords, call/location/data/billing details, and scans of identity documents were not exposed.
ShinyHunters subsequently listed Odido on its leak site and alleged theft of ~21 million records tied to ~8 million customers, asserting Odido downplayed the scope. The gang’s claims also include highly sensitive elements—most notably plaintext passwords—and additional materials such as internal corporate documents and source code, which (if accurate) would materially increase risks of credential stuffing/account takeover, identity fraud, and follow-on intrusion. At the time of reporting, the expanded dataset details (including plaintext passwords and source code) were presented as attacker claims rather than independently confirmed by Odido.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Dutch privacy regulator opens probe into Odido data retention
On March 26, the Dutch Data Protection Authority said it had opened a formal investigation into whether Odido kept customer personal data longer than legally necessary, after complaints from people who said their data was stolen despite no longer being customers. The authority and the Rijksinspectie Digitale Infrastructuur were also examining whether security around Odido’s customer systems had been adequate.
CJIB phishing campaign linked to possible abuse of leaked Odido data
By March 25, the Dutch CJIB and fraud-reporting organizations were handling a surge of reports about fake traffic-fine emails demanding payment within 24 hours. Authorities and researchers said a connection to the Odido breach was plausible because the leaked personal data could be used to make the phishing messages more convincing.
ShinyHunters publishes alleged full Odido dataset online
On March 1, ShinyHunters released what it described as the full Odido customer dataset for free online, culminating a series of four leak-site releases. Reporting said the final dump brought the exposed total to about 6.1 million unique email addresses and was characterized as one of the largest data leaks in the Netherlands.
Odido says it will not pay and offers customer protection support
As the leaks escalated, Odido CEO Søren Abildgaard said the company would not negotiate with the extortionists, in line with Dutch police guidance against ransom payments. Odido also offered affected customers a free 24-month digital security package and warned them to watch for phishing and fraud.
Have I Been Pwned adds the Odido breach
The Odido breach was added to Have I Been Pwned on February 26, making the exposed dataset searchable for affected users. Reporting said the breach involved approximately 688,100 customer accounts in the initial HIBP entry.
ShinyHunters begins daily leaks after ransom demand fails
After Odido refused to negotiate, ShinyHunters started a staged leak campaign, publishing about 1 million records on February 26 and another roughly 1 million early the next day. The leaked data reportedly included names, addresses, emails, phone numbers, IBANs, and identity document numbers.
Odido disputes key parts of ShinyHunters' data theft claims
After ShinyHunters' public claim, Odido confirmed the cyberattack but rejected assertions that plaintext passwords, social security numbers, billing data, call details, location data, or scans of identity documents were exposed. The company maintained the breach was limited to data in the customer contact system and that core telecom services were unaffected.
ShinyHunters claims Odido breach and issues extortion demand
By February 24, ShinyHunters added Odido to its dark web leak site, claimed responsibility for the intrusion, and threatened to leak stolen data unless the company paid more than €1 million. The group alleged it stole roughly 21 million records tied to about 8 million customers, including sensitive personal, financial, and internal corporate data.
Odido discloses breach and reports it to Dutch authorities
On February 12, Odido publicly disclosed the breach, said 6.2 million current and former customers were affected, and published an incident update and FAQ. The company also reported the incident to the Dutch Data Protection Authority and began notifying impacted customers by email or SMS.
Attackers exfiltrate customer personal data from Odido systems
During the intrusion, attackers accessed and downloaded customer personal data from Odido's contact system. Odido later said the exposed data could include contact details, IBANs, dates of birth, and some identity document details, but not passwords, call records, billing data, or ID scans.
Odido detects unauthorized access to customer contact system
Odido detected unusual activity and unauthorized access to its customer contact management system over the weekend of February 7–8, 2026. The company says it terminated the access quickly and began incident response measures.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Onderzoek naar bewaartermijn klantgegevens Odido na hack
nos.nl
Open sourceNepmails van CJIB in omloop: 'Verband met Odido-hack aannemelijk'
nos.nl
Open sourceNepmails van Centraal Justitieel Incassobureau gaan rond, mogelijk verband Odido-hack onderzocht - NRC
nrc.nl
Open sourceAll Odido Data Is Now Online. Here Is What Happens Next. | by privacyinsightsolutions.com | Mar, 2026 | OSINT Team
osintteam.blog
Open sourceShinyHunters Claims Odido NL and Ben.nl Breach as Company Confirms Cyberattack
hackread.com
Open sourceShinyHunters Allegedly Claim Breach of 21 Million Records from Odido
cybersecuritynews.com
Open sourceHackers threaten to leak 8 million people's stolen data if Dutch telecom Odido won't pay ransom - DataBreaches.Net
databreaches.net
Open sourceShinyHunters extortion gang claims Odido breach affecting millions
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Odido Customer Contact System Breach Exposes Data of 6.2 Million Customers
Dutch telecommunications provider **Odido** disclosed a cyberattack in which threat actors gained unauthorized access to a **customer contact/CRM system** and **downloaded personal data** associated with approximately **6.2 million customer accounts**. Odido stated the intrusion was detected over the **February 7–8** weekend and that access was terminated as quickly as possible; the company also reported the incident to the Dutch Data Protection Authority (**Autoriteit Persoonsgegevens**) and engaged external cybersecurity experts to support investigation and additional defensive measures. Odido said its **telecom operations were not disrupted**, and no threat actor group has publicly claimed responsibility; reporting also notes the attackers allegedly contacted Odido to assert they had stolen millions of records. Exposed data varies by customer but may include **full name, address/place of residence, mobile number, customer number, email address, IBAN bank account number, date of birth, and identification document details** (e.g., passport/driver’s license number and validity). Odido emphasized that **passwords** (including for the *My Odido* portal), **call logs**, **location data**, **invoice/billing details**, and **scans of ID documents** were **not** affected. Odido is notifying impacted individuals via email from **`info@mail.odido.nl`** or by SMS, and warned that the stolen data could be used for **impersonation and phishing** attempts that appear to come from Odido.
Mar 21, 2026
Odido Customer Data Breach and Extortion Leak Campaign
Dutch telecom **Odido** reported that attackers stole data on **6.2 million** current and former customers, while the threat actor claimed the dataset covers **8+ million** people and demanded **€1M+** in ransom, threatening to publish data in daily tranches if unpaid. Reporting indicates the company refused to pay, and the extortionists proceeded with a staged leak strategy intended to maximize public and media impact. Subsequent leak batches reportedly included not only typical customer identifiers (e.g., names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers) but also **internal customer-service notes** containing highly sensitive context such as stalking, threats, domestic violence, and protected addresses—creating potential **physical safety risks** for affected individuals. The leak cadence was described as multiple dumps over consecutive days (including a “final dump”), drawing significant national attention in the Netherlands and increasing the likelihood of intensified law-enforcement focus on the perpetrators.
Mar 27, 2026
ADT Confirms Customer Data Breach After ShinyHunters Extortion Claim
ADT disclosed that attackers gained unauthorized access to certain cloud-based environments and stole customer and prospective customer data, prompting the company to activate incident response measures, engage forensic specialists, notify law enforcement, and contact affected individuals. The exposed information included names, phone numbers, and home addresses, with dates of birth and the last four digits of Social Security numbers or Tax IDs affected in a smaller number of cases; ADT said payment information was not accessed and customer home security systems were not impacted. The disclosure followed claims by the **ShinyHunters** extortion group that it had stolen more than 10 million records and internal corporate data and would leak the information if its demands were not met. Reporting tied the intrusion to a suspected vishing attack that allegedly compromised an employee's **Okta** single sign-on account and enabled access to ADT's **Salesforce** environment, matching a broader pattern in which the group targets enterprise SSO accounts and connected SaaS platforms to steal data for extortion.
May 6, 2026