Dutch Telecom Odido Hit: Over 6 Million Records Leaked

The Breach and Deadline

The breach took place between February 7th and 8th. It was confirmed by Odido on February 12, 2026. The infamous hacking group ShinyHunters claimed responsibility for the attack. After infiltrating the company’s systems and exfiltrating the data, the attackers demanded a ransom of 1 million euros, setting a deadline of February 26, 2026. Odido refused to comply, and the deadline passed without payment.

It is important to note that the company and the attackers reported different figures regarding the scope of the breach. Odido stated that approximately 6.5 million customers were affected, while ShinyHunters claimed the number was 21 million.

Following the missed deadline, ShinyHunters began gradually releasing the stolen data on the dark web. The leak started with roughly 680,000 customer records but quickly escalated. Within a few days, nearly 6.5 million customer records had been published. These records include full names, government IDs, banking information, emails, and other sensitive personal data.

About ShinyHunters

ShinyHunters is an infamous black hat hacking group that has been active since 2019. They are behind numerous high-profile attacks, including the 2024 AT&T breach, which resulted in the theft of over 110 million records and a ransom payment of $370,000. The group has been linked to dozens of other major data breaches. Their largest known ransom occurred when they breached software giant PowerSchool, securing over $2.8 million.

Prosecutor’s Office Investigating

The Dutch Prosecutor’s Office has launched an official investigation into Odido for the mishandling of customer data. The prosecutors are citing the European General Data Protection Regulation (GDPR) and may have the authority to impose a fine on the company.

Odido Response

In a typical PR statement, Odido emphasized that its focus has always been on its customers. Regarding the decision not to pay the ransom, the company cited guidance from authorities and the police. Odido stated that it does not negotiate with criminals or engage with blackmail. Some critics have argued that the ransom was relatively small—slightly more than 10 cents per affected customer. The company concluded by reaffirming that its efforts remain dedicated to supporting both its customers and employees.

Community Backlash Ends With Scams

Customers of Odido have begun pushing back against the company, with movements forming on social media encouraging users to switch to other providers. Unfortunately, scammers quickly seized on the situation, creating a fake class-action lawsuit website claiming that victims could seek compensation for the breach. The fraudulent site demanded a one-time fee for users to apply, exploiting the very customers already affected by the data leak.

A Serious Data Problem

As a telecom provider, Odido collects highly sensitive information, including full addresses, government IDs, and personal details. Given its position in the tech sector, one would expect robust security measures—but this breach has proven otherwise. This incident ranks among the most significant recent data breaches and has the potential to cause serious harm. What is particularly concerning is that events like these are not uncommon, and they come at a time when online identity verification is becoming increasingly widespread.

One notable example is Discord, which recently suffered a data breach exposing users’ government IDs. Shortly afterward, the company implemented full-scale ID verification across its services. However, due to significant community backlash, Discord had to scale back parts of that system. This is just one example; similar breaches are increasingly frequent across platforms, and in some regions, strict data verification measures are even mandated by law.

This situation raises critical questions: if a company whose core business involves managing sensitive data cannot protect it effectively, what can be expected when the handling of such information becomes ubiquitous across industries?