Hackers Publish Two Million Lines of Stolen Odido Customer Data on Dark Web

Cybercriminal group ShinyHunters has published two million lines of stolen customer data from Dutch telecom provider Odido on the dark web after the company refused to pay a ransom exceeding €1 million. The hackers released one million records on Thursday and another million early Friday morning, with threats to continue daily publications until Odido pays.

The breach, which Odido disclosed on 12 February after detecting unauthorized access over the weekend of 7-8 February, affects at least 6.2 million current and former customers according to the company. ShinyHunters claims to possess data on more than 8 million individuals, totalling 21 million lines of records. Either figure would make this one of the largest data breaches in Dutch history.

The published files contain names, home addresses, phone numbers, email addresses, dates of birth and approximately 275,000 IBAN bank account numbers. Perhaps most concerning, the leaked material includes internal customer service notes identifying financially vulnerable individuals, including those who received payment reminders, have debt registrations, are under court-appointed administration, or were investigated for fraud. Some notes describe customers who behaved aggressively toward Odido store staff.

The first release covered approximately 680,000 individuals and 320,000 businesses. According to analysis by RTL Nieuws, the files include former customers who have not held an Odido subscription for years. Odido retains customer data for up to two years after contracts end.

The hackers have not yet published passport, driving licence and national identity card numbers but threaten to release this information if Odido continues refusing payment. A leaked database field labelled "password_c" caused initial alarm, but Odido clarified this contained telephone verification challenge words used by some customers during support calls rather than login credentials. The company has discontinued this practice.

BSN national insurance numbers are not stored in Odido's systems and were not exposed, the company stated.

Odido announced it would not negotiate with the criminals following consultation with cybersecurity advisers and government officials. "Odido has decided not to negotiate with these criminals and not to be blackmailed by them," the company said. The decision aligns with general guidance discouraging ransom payments, though it guarantees the data will be published.

After releasing the first batch, ShinyHunters posted a message to Odido stating: "You know how to find us." The group's ultimatum had set Thursday 26 February as the deadline, warning they would publish one million records daily thereafter if payment was not received.

ShinyHunters is a well-known extortion group believed to be primarily based in Europe rather than Russia. Previous victims include Microsoft, Ticketmaster, Jaguar, Louis Vuitton and Pornhub. Security researchers have documented how the group gained access to Odido through voice phishing attacks that deceived customer service employees into revealing their single sign-on credentials and multi-factor authentication codes.

The tangible impact is already visible. Reports to the Centraal Meldpunt Identiteitsfraude (CMI), the government's identity fraud reporting centre, have more than doubled in a week, surging from 245 to 590 confirmed cases related to Odido. The CMI, operating under the Ministry of Interior Affairs, notes that most reports come from individuals concerned about potential fraud rather than confirmed misuse.

The Public Prosecution Service has launched a criminal investigation into the cyberattack. If Odido is found to have been negligent in protecting customer data, the investigation could lead to legal action against the company.

Cybersecurity expert Dave Maasland, director of ESET Netherlands, warned that the greatest danger lies not in the breach's scale but in the combination of data stolen. Names, addresses, bank details and identity document numbers together create what he called "a goldmine for criminals" enabling highly personalised phishing and social engineering attacks.

Security researcher Troy Hunt's website Have I Been Pwned has now indexed the first two Odido leaks, allowing affected individuals to check whether their email address appears in the published data. The Dutch police offer a similar service called Check je Hack.

Odido notified affected customers via email or SMS between 12 and 14 February. The company has offered a two-year subscription to F-Secure security software as compensation, which ethical hacker Sijmen Ruwhof described as inadequate given that phone numbers and addresses often remain unchanged for years.

The CMI advises that the stolen data alone cannot be used to open bank accounts, take out loans or phone subscriptions, or request new identity documents, as these require additional verification such as physical identity documents, DigiD authentication or bank login details. However, the information significantly increases phishing risk.

Customers are urged to monitor bank accounts for suspicious transactions, verify the authenticity of any communications claiming to be from Odido or financial institutions, avoid clicking unsolicited links, and report suspicious activity immediately. The combination of leaked IBAN numbers with personal details makes phantom invoice fraud particularly likely.

The breach comes at a sensitive moment for Dutch digital security discussions. Just one day before Odido disclosed the hack, parliament held a debate on digitalisation and the proposed American takeover of Solvinity, the company behind DigiD infrastructure. Wietske Kamsma of the Alliantie Digitaal Samenleven questioned why organisations are permitted to store such combinations of sensitive data together in single databases.

Odido maintains that a data leak does not automatically entitle customers to compensation and that current efforts focus on preventing further harm. Under GDPR regulations, companies bear responsibility for securing personal data, though proving damages directly linked to a specific breach remains legally difficult.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) confirmed it is actively monitoring the situation and has received numerous complaints and tips about the breach.