Odido Customer Data Breach and Extortion Leak Campaign
Dutch telecom Odido reported that attackers stole data on 6.2 million current and former customers, while the threat actor claimed the dataset covers 8+ million people and demanded €1M+ in ransom, threatening to publish data in daily tranches if unpaid. Reporting indicates the company refused to pay, and the extortionists proceeded with a staged leak strategy intended to maximize public and media impact.
Subsequent leak batches reportedly included not only typical customer identifiers (e.g., names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers) but also internal customer-service notes containing highly sensitive context such as stalking, threats, domestic violence, and protected addresses—creating potential physical safety risks for affected individuals. The leak cadence was described as multiple dumps over consecutive days (including a “final dump”), drawing significant national attention in the Netherlands and increasing the likelihood of intensified law-enforcement focus on the perpetrators.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Final dump of all remaining Odido data is released
The day after the third release, the attackers published a final dump containing the remaining stolen Odido data. This completed the multi-stage public leak sequence described in subsequent coverage.
Third staged Odido data dump is released
According to later reporting, a third dump occurred a few hours after the second release. The continued cadence suggested the leak campaign was being timed for maximum public and media impact.
ShinyHunters threatens more Odido leaks over the next two weeks
After the second batch was reported, the threat actor ShinyHunters said it would continue releasing more Odido data over the following two weeks if payment was not made. The statement escalated pressure on Odido after the company refused the ransom demand.
Second Odido data dump exposes sensitive internal notes
A second batch of leaked Odido data was reported by Dutch media to contain highly sensitive internal customer notes, including references to stalking, threats, domestic violence, and protected addresses. Reporting said the exposed information created potential physical safety risks for affected customers.
First Odido data dump is released
The stolen Odido data began to be published in staged releases over several days. This first dump marked the start of the public leak campaign tied to the extortion attempt.
Attackers demand over €1 million and threaten staged leaks
The threat actor demanded more than €1 million from Odido and threatened to publish 1 million lines of stolen data per day if the company did not pay. Odido refused to pay the ransom.
Odido customer data is stolen in a major breach
Attackers stole customer data from Dutch telecom company Odido. Odido said the breach affected 6.2 million current and former customers, while the attackers claimed to hold data on more than 8 million people.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Odido Customer Contact System Breach Exposes Data of 6.2 Million Customers
Dutch telecommunications provider **Odido** disclosed a cyberattack in which threat actors gained unauthorized access to a **customer contact/CRM system** and **downloaded personal data** associated with approximately **6.2 million customer accounts**. Odido stated the intrusion was detected over the **February 7–8** weekend and that access was terminated as quickly as possible; the company also reported the incident to the Dutch Data Protection Authority (**Autoriteit Persoonsgegevens**) and engaged external cybersecurity experts to support investigation and additional defensive measures. Odido said its **telecom operations were not disrupted**, and no threat actor group has publicly claimed responsibility; reporting also notes the attackers allegedly contacted Odido to assert they had stolen millions of records. Exposed data varies by customer but may include **full name, address/place of residence, mobile number, customer number, email address, IBAN bank account number, date of birth, and identification document details** (e.g., passport/driver’s license number and validity). Odido emphasized that **passwords** (including for the *My Odido* portal), **call logs**, **location data**, **invoice/billing details**, and **scans of ID documents** were **not** affected. Odido is notifying impacted individuals via email from **`info@mail.odido.nl`** or by SMS, and warned that the stolen data could be used for **impersonation and phishing** attempts that appear to come from Odido.
Mar 21, 2026
ShinyHunters Claims Large-Scale Data Theft From Dutch Telecom Odido
**ShinyHunters** has claimed responsibility for breaching Dutch telecommunications provider **Odido** (and brand **BEN**) and stealing a much larger dataset than the company initially indicated. Odido previously disclosed that attackers accessed its customer contact system and downloaded customer data, reporting the incident to the Dutch Data Protection Authority, cutting off attacker access, and bringing in external incident-response support. Odido said the exposed data varied by customer and could include identifiers and contact details such as name, address, mobile number, customer number, email address, **IBAN**, date of birth, and some ID details (e.g., passport/driver’s license numbers and validity), while stating that Mijn Odido passwords, call/location/data/billing details, and scans of identity documents were not exposed. ShinyHunters subsequently listed Odido on its leak site and alleged theft of **~21 million records** tied to **~8 million customers**, asserting Odido downplayed the scope. The gang’s claims also include highly sensitive elements—most notably **plaintext passwords**—and additional materials such as internal corporate documents and source code, which (if accurate) would materially increase risks of credential stuffing/account takeover, identity fraud, and follow-on intrusion. At the time of reporting, the expanded dataset details (including plaintext passwords and source code) were presented as **attacker claims** rather than independently confirmed by Odido.
Mar 26, 2026
Dutch Organizations Report Data Breaches and Extended Unauthorized Access
Dutch authorities reported a prolonged compromise at the Dutch prisons agency **DJI**, where attackers reportedly maintained access for at least **five months**. Exposed information included staff **email addresses, phone numbers, and security certificates**, and the Dutch NCSC indicated the intruders also accessed **phones, tablets, and laptops**, though the extent of data access on those endpoints was not confirmed; DJI did not confirm whether access had been fully removed. Separately, Dutch telecom **Odido** disclosed a **data breach followed by an extortion attempt**, after which attackers publicly released about **1M records** (including **317k unique email addresses**) and threatened additional leaks. The published data reportedly included **names, physical addresses, phone numbers, bank account numbers**, and customer-service notes; Odido’s notice also warned that **dates of birth** and government ID numbers (passport/driver’s license) were impacted. A **Canadian Tire** breach entry describes a different incident in Canada (October 2025) involving ~**42M records** with PBKDF2-hashed passwords and some partial payment-card metadata, and is not part of the Netherlands-focused events above.
Mar 21, 2026