Odido data leak looms as hacker deadline expires

The Dutch telecom provider Odido has been hit in the past weeks by a major data breach, with cybercriminals from the notorious 'ShinyHunters' group stealing personal information from up to 8 million customers - over one-third of the Netherlands' population. The hackers have demanded a ransom of over €1 million, threatening to leak the data if their demands are not met by Thursday, February 26th.

Odido suffered the attack over the weekend of February 7th-8th, 2026, which involved the theft of a vast amount of personal data. This included names, addresses, phone numbers, email addresses, dates of birth, customer numbers, bank account numbers, and even passport and driver's license details.

Lots of Odido customers' sensitive information exposed

While the company initially reported that 6.2 million customer records were affected, the ShinyHunters collective claims to have accessed data from as many as 8 million customers, encompassing 21 million lines of data.

Adding a disturbing dimension to the breach, public broadcaster NOS revealed that sensitive customer notes, including details about payment arrangements and whether customers have a guardian, were also stolen.  Some notes even include warnings about potential fraud, such as ex-partners attempting to impersonate contract holders. This specific type of data allows cybercriminals to craft hyper-targeted 'spear phishing' campaigns. A scammer possessing knowledge of a customer's specific financial dispute or legal guardianship status can bypass standard skepticism.

Odido claims it was unaware that this additional information had been compromised.

Hackers' ultimatum

ShinyHunters issued an ultimatum to Odido, demanding a ransom of over €1 million to be paid by today, February 26th. They've threatened to release 1 million customer records per day starting tomorrow, February 27th, if their demands are not met. The hackers stated, "This is your final warning. Otherwise, we will leak the data."

The hacker group has a track record of high-profile breaches, including Ticketmaster and Microsoft, and has threatened to weaponize the data immediately, pressuring Odido. Furthermore, the hackers claim to possess 21 million records, a figure significantly higher than Odido's confirmed 6.2 million. This disparity suggests that the attackers may have accessed legacy databases or backup archives that the company has not yet fully audited. If the hackers follow through on their threat, the Dutch digital ecosystem faces a prolonged period of instability, with waves of sensitive data hitting the dark web daily.

The impact of the Odido breach

The Public Prosecutor's Office has launched a criminal investigation into the cyberattack, acknowledging the seriousness of the situation given the massive scale of the data breach. This investigation could lead to legal action against Odido if they are found to have been negligent in protecting customer data.

The tangible impact of the breach is already visible across the Netherlands. Reports to the Central Identity Fraud Reporting Point (CMI) have more than doubled in the past week, surging to 590 confirmed cases related to Odido. This spike indicates that criminals are likely already using preliminary datasets to launch fraud attempts. Customers face an elevated risk of SIM swapping, phantom invoices, and WhatsApp fraud.

In response, Odido has offered a two-year subscription to F-Secure security software, which includes password management and phishing detection. While this is a standard corporate remediation tactic, security experts argue it does little to mitigate exposure of immutable data, such as dates of birth, or the newly revealed customer notes. Once intimate details regarding a customer's personal life are public, software cannot 'patch' the vulnerability. The burden of defense has effectively shifted to the consumer, who must now verify every digital interaction with heightened suspicion.