Odido
Analysis of the Odido data breach affecting over 6 million individuals in the Netherlands. Social engineering attack bypassed MFA and exposed customer data including IBANs and identity document metadata.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Odido
Largest mobile telecommunications operator in the Netherlands, formerly known as T-Mobile Netherlands, serving over 6.5 million individual subscribers and 600,000 businesses.
Sector
Telecommunications
Region
Netherlands
Date of Incident
February 7-8, 2026
Date Disclosed
February 12, 2026 (initial disclosure)
Estimated Impact
Over 6.5 million individuals and approximately 600,000 businesses
Data Types Exposed
Names, home and email addresses, phone numbers, dates of birth, bank account numbers (IBANs), passport and driver's licence numbers (metadata)
Attack Type
Social Engineering
Attack Vector
Social engineering (phishing and impersonation of IT staff) to bypass multi-factor authentication
Threat Actor
ShinyHunters
Current Status
Full dataset published on dark web from March 1, 2026. Odido refused EUR 500,000 ransom. Data of government ministers and intelligence officials found in leak.
Severity Assessment
Critical. Over 6.5 million individuals and 600,000 businesses exposed, including government officials and critical sector employees. IBAN exposure enables direct financial fraud.
What Happened
Dutch telecom provider Odido, the largest mobile operator in the Netherlands, disclosed in mid-February 2026 that attackers had gained unauthorised access to a customer contact system. According to Odido's own statement and reporting by TechCrunch, the breach is believed to have occurred on or around February 7 and 8, 2026.
The compromised data reportedly includes customer names, home and email addresses, phone numbers, dates of birth, bank account numbers (IBANs), and metadata from government-issued identity documents such as passport and driver's licence numbers. Odido has stated that passwords, call records, billing data, location information, and scanned copies of identity documents were not part of the breach.
The threat actor group known as ShinyHunters has been linked to the incident. According to NL Times, the group initially demanded approximately EUR 1 million in ransom, later lowering this to EUR 500,000. Odido publicly refused to pay, citing advice from law enforcement and cybersecurity advisors. Following this refusal, the full dataset was reportedly published on dark web forums over several days beginning March 1, 2026.
Subsequent reporting by NL Times and RTL revealed that the leaked data included records associated with Dutch government ministers, a senior intelligence official, individuals under state protection, and over 16,000 employees working in critical sectors including companies such as ASML and Philips.
An analysis by IO+ noted that the attack method was not a zero-day exploit but rather social engineering, specifically phishing and impersonation of IT staff, which was used to bypass multi-factor authentication. The publication raised questions about why a single compromised account could access records belonging to millions of customers, pointing to a failure in access segmentation and the principle of least privilege.
Timeline
February 7-8, 2026
ShinyHunters gain unauthorised access to Odido's customer contact system via social engineering
February 12, 2026
Odido publicly discloses the breach, confirming millions of customers affected
February 2026
ShinyHunters demand EUR 1 million ransom, later reduced to EUR 500,000
February 2026
Odido refuses ransom payment on advice from law enforcement
March 1, 2026
Full dataset published on dark web forums
March 5, 2026
Reports emerge that data of government ministers and intelligence officials is in the leaked dataset
Threat Actor Profile
ShinyHunters is a prolific threat group responsible for multiple high-profile breaches in early 2026, operating a coordinated campaign targeting SSO credentials via voice phishing.
The group's Odido attack used social engineering and impersonation of IT staff rather than technical exploits, demonstrating their focus on human-layer vulnerabilities.
Impact and Risk Assessment
For Affected Individuals
Over 6.5 million individuals had personal data exposed including IBANs, which can be used for unauthorised direct debit fraud.
Passport and driver's licence metadata, while not scanned copies, can still be used in identity fraud and social engineering attacks.
Dutch government ministers, intelligence officials, and individuals under state protection were identified in the leaked data, creating national security concerns.
For Organisations
Over 600,000 businesses had their data exposed, potentially including employee contact details and corporate account information.
Over 16,000 employees from critical sector companies including ASML and Philips were identified in the leaked data.
Odido faces significant reputational damage and potential regulatory action under GDPR.
Regulatory Context
GDPR applies directly, with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) overseeing the response. Fines of up to 4% of annual global turnover are possible.
The exposure of government officials' data may trigger additional national security review processes.
What Should You Do?
If You Are a Potentially Affected Individual
If you are an Odido customer, monitor your bank account for unauthorised direct debit transactions, particularly given the IBAN exposure.
Be alert to phishing attempts that use your personal details to appear legitimate. Do not respond to unsolicited calls or messages claiming to be from Odido.
Consider requesting your bank to restrict direct debit authorisations on your account.
If You Are a Security or Risk Professional
Review internal access controls to ensure a single compromised account cannot access records for millions of customers. Implement the principle of least privilege rigorously.
Evaluate the resilience of your MFA implementation against social engineering. Consider phishing-resistant methods such as FIDO2 hardware keys.
If your organisation's employees are Odido subscribers, assess whether their exposed personal data creates corporate security risks.
Learnings and Recommendations
This incident is a reminder that social engineering remains one of the most effective attack vectors, even against large organisations with multi-factor authentication in place. MFA on its own is not a silver bullet if it can be bypassed through well-crafted phishing or impersonation.
Organisations holding large volumes of personal data should pay close attention to internal access controls. The fact that a reportedly single point of compromise could lead to the alleged exfiltration of millions of records suggests insufficient segmentation. The principle of least privilege, where each user or role has access only to the data it absolutely needs, is not a nice-to-have. It is a fundamental control.
For companies and individuals in the supply chain of telcos, this also highlights the downstream risk. If your staff or customers are among the subscribers of a breached provider, their personal details may now be in the hands of threat actors, whether or not your own systems were involved.
Sources
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.