A massive data breach, private information published on the dark web, millions of victims, a fake class-action lawsuit, and a criminal investigation launched by the Public Prosecution Service. For some, this may sound like a script for a Hollywood blockbuster.
However, for millions of affected customers, this is the harsh reality following the cyberattack on Odido last month. In just a few weeks, a lot has happened. And the story keeps on developing.
Let’s recap on the events and see where this is going.
What exactly happened?
On Thursday, February 12th, 2026, Dutch telecom operator Odido announced that it had been hit with a cyberattack during the weekend of February 7th and 8th. According to the telecom provider, the attackers successfully downloaded the personal data of 6.2 million customers from the company’s customer relationship management system.
This included full names, postal addresses, telephone numbers, customer IDs, bank account numbers, dates of birth, and government-issued ID numbers, such as passports and driver’s licenses. A lot more private details were taken, but we’ll get to that later on. No passwords, phone records, location data, invoice details, or scans of ID documents were exfiltrated.
The incident was immediately reported to the Dutch privacy and data protection authority. Affected customers were personally informed about the data breach. They were advised to be vigilant for unusual activities.
“We take this incident very seriously. Immediately after discovering the data breach, we blocked the unauthorized access to the customer relationship management system, implemented additional security measures, scaled up monitoring of unusual activities, and raised employee awareness of cybercriminal activities and methods,” Odido said in a press release.
How did the hackers get access to so many customer details?
That’s the million-dollar question everybody wants to know. Although the investigation is still ongoing, rumors have circulated that the events at Odido are part of a wave of Salesforce data breaches.
Check if your data has been leaked
According to anonymous sources, this is what happened. Remember, this hasn’t officially been confirmed by the telecom operator or the authorities.
Allegedly, the attackers posed as IT staff members and tricked employees into approving fraudulent login attempts, thus bypassing multi-factor authentication (MFA). Several employee accounts were hacked this way, allowing the hackers to gain access to Odido’s Salesforce environment. Lastly, the attackers used scraping software to exfiltrate the personal information of millions of customers.
ShinyHunters claim responsibility for the cyberattack on Odido
Days after the cyberattack, a group of cybercriminals called ShinyHunters claimed to have breached Odido’s customer system. This makes sense since the Salesforce data breaches have been linked to this extortion group and the alleged tactics, techniques, and procedures (TTPs) that were used in this case.
On February 24th, ShinyHunters threatened to leak 21 million records on the dark web if the company refused to pay ransom. The exact amount of the ransom remains unclear, but security experts estimate it’s several million euros.
“This is a final warning to come back to our chat and finish what we set out to do before we leak along with several annoying (digital) problems that’ll come your way,” the extortion group said in a blog post.
To prove they weren’t messing around, on February 26th, ShinyHunters published the first batch of the stolen data on the dark web. This included personal details of approximately 430,000 individuals and 290,000 businesses.
The next day, on February 27th, the extortion group revealed private information of 649,000 customers, as well as over 340,000 International Banking Account Numbers (IBANs).
On February 28th, 365,000 driver’s license numbers, 245,000 European identity card numbers, and 180,000 passport numbers appeared on the dark web, as well as identification details for thousands of privileged documents, such as identity cards for diplomats and embassy personnel.
On numerous occasions, Odido said it wouldn’t negotiate with or pay the attackers. Therefore, on Sunday, ShinyHunters decided to publish all the stolen data on the dark web. According to Dutch news outlet NOS, this included personal details of at least 6.5 million people and 600,000 businesses.
Odido: “Additional data has been leaked”
In the days after the incident, Odido revealed that “additional data” was stolen from its corporate customer relationship management system. The operator couldn’t, or wouldn’t, disclose what additional information was taken, but promised to keep affected customers in the loop of any new developments.
However, the leaks have shown that a lot of private and sensitive information was stolen as well. In the past few days, social security numbers (bsn), notes from Odido’s customer service, and payment reminders and notices to clients have appeared on the dark web.
And that’s just the tip of the iceberg. Details about clients with a registration at the Bureau of Credit Registration (BKR), clients who are being investigated for fraud, clients who have demonstrated violent behavior to Odido’s employees, and victims who are being stalked, are involved in domestic violence, or have a protected address, have also appeared on the dark web. This is the kind of information you don’t want to end up in the wrong hands.
“This is very worrying. If the threat is still present, it can be very dangerous if this type of data ends up in the public domain,” a cybersecurity expert told Dutch news outlet RTL Nieuws.
Fake class-action lawsuit
Right after the incident, affected people expressed their anger on social media, threatening to switch providers or demanding damages and financial compensation. Some claim they’ve already received phishing emails and calls from scammers pretending to be bank employees. Others feel they’re being left in the dark, or that Odido falls short in preventing cybercriminals from leaking their data.
However, Odido isn’t just going to compensate victims for their worries that easily.
“A data leak does not automatically give a right to compensation. Our work is currently focused on preventing customers from suffering any damage because of this incident. We informed customers in advance so they can be extra alert for suspicious signs,” the provider says on its website.
Scammers capitalized on the events and the sentiments and launched a fake website where victims could submit a claim for damages after paying a one-time contribution of €50.
Experts immediately pointed to several red flags. For starters, it was too soon to launch a class-action lawsuit against Odido, as the investigation into the incident is still ongoing. In addition, paying to participate in a class-action lawsuit isn’t the way it works.
Furthermore, the website stated false information, didn’t mention a Chamber of Commerce (CoC) number, didn’t publish general terms and conditions, and offered false prospects of compensation, ranging from €500 to €1,500.
Fortunately, the fake website was taken down in just a few days. How many people fell victim to the site remains unknown.
Public Prosecution Service announces investigation
The General Data Protection Regulation (GDPR), Europe’s privacy legislation, dictates that if a company has suffered a data breach, it must notify the country’s data protection authority within 72 hours. That’s what Odido did when it first got wind of the breach.
Depending on the impact and scale of the breach, the supervisory authority will decide whether it will investigate the incident, issue a fine, or reprimand the company.
In this case, however, the Dutch Public Prosecution Service is involved as well, which is quite exceptional. A spokesperson has told news agency ANP that the Public Prosecution Service is investigating the cyberattack at Odido. He wouldn’t provide any further details, except that it concerns a criminal investigation.
Odido’s recommendation: no need to change your passport
The story is far from over, and developments are occurring at a rapid pace. Not only is the data breach large in scale, affecting millions of current and former customers and businesses, but it is also very dangerous. Scammers can use the leaked details to impersonate trusted companies, such as a bank, but also to send phishing emails and commit identity fraud.
Odido is recommending that victims be extra alert for unexpected phone calls, text messages, emails, or WhatsApp messages. They should also regularly check their bank accounts.
According to the telecom company, it’s not necessary to change passwords because no passwords have been leaked.
“You can change your passwords if that makes you feel more comfortable,” the operator says.
Furthermore, victims shouldn’t run to city hall to replace their passports or driver’s licenses because no copies or scans of IDs were part of the data breach. Replacement costs will therefore not be reimbursed.
People who have recently taken out a subscription with Odido or want to terminate their contract prematurely because of the incident are out of luck.
“The data leak itself is not a valid reason to terminate your agreement early,” the operator stipulates.
To accommodate affected customers and businesses, Odido is offering them 24 months of F-Secure for free. The digital security package protects devices against viruses, phishing, and other online threats. Details on how to activate your F-Secure voucher are listed on this page.
To see if your personal information has been leaked in the Odido data breach, visit Have I Been Pwned and enter your email address.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked