Massive Odido cyberattack leaks customer IBANs and government IDs
In early February 2026, the Dutch telecommunications provider Odido (formerly known as T-Mobile Netherlands) confirmed a large-scale data breach affecting approximately 6.2 million customers. The incident, which also impacted its subsidiary brand Ben, is considered one of the largest personal data exposures in the history of the Netherlands.
Technical Sequence of the Attack
The intrusion occurred over the weekend of February 7 and 8, 2026. According to forensic investigations reported by Dutch national broadcaster NOS, the breach was executed through a multi-stage social engineering campaign:
- Phishing: Attackers initially obtained login credentials from several customer service employees through targeted phishing emails.
- Impersonation: To bypass multi-factor authentication (MFA), the threat actors called the compromised employees while posing as Odido internal IT department personnel, manipulating them into approving secondary login requests.
- Database Scraping: Once inside the Salesforce customer contact environment, the attackers used automated scripts to scrape records. While Odido initially estimated the impact at 6.2 million accounts, the threat actor group ShinyHunters claimed to have exfiltrated data belonging to 8 million individuals, comprising over 21 million lines of data.
Compromised Data Categories
The breach involved a wide array of Personally Identifiable Information (PII). While Odido stated that passwords, call logs, and billing histories remained secure, the following data points were confirmed as exposed:
| Data Category | Specific Details |
|---|---|
| Personal Identity | Full names, dates of birth, and home addresses |
| Contact Info | Mobile phone numbers and email addresses |
| Financial Data | IBAN (bank account numbers) |
| Government IDs | Passport and driver’s license numbers (including validity dates) |
| Internal Notes | Customer service notes, including details on payment disputes and fraud warnings |
The inclusion of customer service notes has been highlighted by security researchers at UpGuard as particularly high-risk. These notes provide context that allows criminals to craft highly convincing spear-phishing attacks by referencing specific internal account details.
Independent analysis by DataBreach.com has revealed the specific scale of the Odido exfiltration, with totals exceeding the company's initial estimates.
Granular Leak Statistics
The following records were identified within the stolen dataset:
- Dates of Birth: 6,598,287
- Email Addresses: 5,873,551
- Phone Numbers: 5,048,030
- Full Names: 4,941,694
- Bank Accounts 1,800,000
- Unspesificed number of Government IDs
The Dutch Data Protection Authority (AP) is now investigating whether Odido violated GDPR data minimization standards by retaining this sensitive metadata within a customer-facing environment.
Extortion and Disclosure Timeline
Following the discovery, Odido refused to pay a "low seven-figure" ransom demanded by the ShinyHunters group.
- February 12, 2026: Odido issued its first public disclosure and began notifying the Dutch Data Protection Authority (AP).
- February 24, 2026: Public reports surfaced detailing the blackmail attempt and the €1 million ransom demand.
- February 26, 2026: The hackers' deadline for payment expired.
- March 1, 2026: The full dataset was reportedly leaked to the dark web across various forums, including BreachForums.
The Public Prosecutor's Office in the Netherlands has launched a criminal investigation into the incident. Meanwhile, the Central Identity Fraud Reporting Point (CMI) reported that inquiries related to Odido more than doubled in the weeks following the leak, suggesting that the stolen data is already being leveraged for fraudulent activities such as SIM swapping and WhatsApp fraud.
