Cybercriminals Behind Odido Hack Set Thursday Deadline for €1 Million Ransom

The cybercriminal group ShinyHunters has claimed responsibility for the massive data breach at Dutch telecommunications provider Odido, demanding a ransom of over €1 million to prevent the publication of stolen customer data on the dark web. The hackers have set a deadline of Thursday morning, warning in a message to the company that this is their "final warning."

The scale of the breach remains disputed. Odido maintains that 6.2 million current and former customers were affected, while ShinyHunters claims to have stolen data belonging to 8 million people, totalling 21 million lines of data. The hackers accuse Odido of lying about the true extent of the breach.

RTL Nieuws reported that ShinyHunters provided evidence to verify their involvement in the attack, which occurred on the weekend of 7-8 February. The stolen data reportedly includes names, addresses, bank account numbers, and passport numbers. The hackers also claim to possess customer passwords, though Odido has consistently denied that passwords were compromised.

"It affects 8 million customers and a total of 21 million lines of data," the hackers stated. "Make the right decision, you know where to find us." According to ShinyHunters, the demanded ransom is "a low seven-figure sum."

According to NOS reporting, the attackers gained access through phishing emails targeting Odido customer service employees. The hackers posed as members of the company's IT department to obtain login credentials, which they then used to access a Salesforce-based customer contact system containing extensive personal information.

CEO Søren Abildgaard confirmed in a statement that the breach involved "personal data originating from a customer contact system used by Odido." The company says it terminated the unauthorized access as quickly as possible and engaged external cybersecurity experts.

The compromised data varies by customer but may include full names, home and email addresses, mobile phone numbers, dates of birth, bank account numbers (IBAN), customer numbers, and government-issued ID details such as passport or driver's licence numbers and their validity dates. Odido maintains that no passwords, call records, location data, billing information, or scans of identity documents were stolen.

ShinyHunters is one of the most prolific cybercriminal collectives operating globally. First emerging in 2020, the group has claimed responsibility for numerous high-profile breaches, including attacks on Microsoft, Ticketmaster, Santander Bank, Jaguar, Louis Vuitton, and Pornhub.

The group gained particular notoriety in 2024 when it claimed to have stolen data from 560 million Ticketmaster customers, demanding $500,000 for the 1.3 terabytes of stolen information. That breach exploited vulnerabilities in cloud provider Snowflake's systems.

Unlike many cybercriminal groups that operate from Russia, ShinyHunters appears to be primarily based in Europe. In 2024, a French member of the group in his twenties was arrested and subsequently sentenced to three years in prison in Seattle after pleading guilty to conspiracy to commit wire fraud. The group is known for targeting cloud environments and using sophisticated social engineering techniques.

If Odido refuses to pay, ShinyHunters typically sells stolen data to other criminals on dark web forums.

Odido has not publicly stated whether it is considering paying the ransom. A company spokesperson emphasised that "a data breach does not automatically entitle you to compensation," adding that their efforts are currently focused on preventing customers from suffering harm.

The company has warned customers to be alert for suspicious activity, including phishing attempts by criminals impersonating Odido or banks. Fake invoices bearing Odido branding may also be circulated. Customers are advised to verify any communications through official channels and to check invoices through the Mijn Odido portal.

Tim Walree, a university lecturer in private law and technology, told RTL that providers can be held liable if customers demonstrably suffer harm as a result of a data breach, but only if Odido "demonstrably violated the law."

The breach has also raised uncomfortable questions about Odido's data retention practices. According to Het Financieele Dagblad, some former customers who ended their contracts between five and ten years ago received breach notification emails, despite Odido's stated policy of retaining customer data for only two years after contract termination.

The company told the newspaper it needs more time to investigate why data was retained longer than its stated policy allows.

With 6.2 million people affected, roughly one-third of the Dutch population, the Odido breach ranks among the largest data breaches in Dutch history. The company, which has approximately 7 million active customers, was formed in 2023 through the rebranding of T-Mobile Netherlands and Tele2 Netherlands.

Following the breach announcement, many customers have reportedly begun exploring alternative providers. The incident adds to a pattern of major telecom breaches globally, including a recent attack on South Korea's SK Telecom that exposed 27 million customer records and led to a 90 percent drop in quarterly operating profit.

Odido reported the breach to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and has emailed all affected customers. The company maintains that its operational services remain unaffected and customers can continue to use phone, internet, and television services safely.