Social Engineering Telecommunications · Netherlands · March 2026

Odido

Analysis of the Odido data breach affecting over 6 million individuals in the Netherlands. Social engineering attack bypassed MFA and exposed customer data including IBANs and identity document metadata.

Records Affected

Over 6.5 million individuals and approximately 600,000 businesses

Attack Type

Social Engineering

Location

Netherlands

Data types exposed

Names home and email addresses phone numbers dates of birth bank account numbers (IBANs) passport and driver's licence numbers (metadata)

What Happened

Dutch telecom provider Odido, the largest mobile operator in the Netherlands, disclosed in mid-February 2026 that attackers had gained unauthorised access to a customer contact system. According to Odido's own statement and reporting by TechCrunch, the breach is believed to have occurred on or around February 7 and 8, 2026.
The compromised data reportedly includes customer names, home and email addresses, phone numbers, dates of birth, bank account numbers (IBANs), and metadata from government-issued identity documents such as passport and driver's licence numbers. Odido has stated that passwords, call records, billing data, location information, and scanned copies of identity documents were not part of the breach.
The threat actor group known as ShinyHunters has been linked to the incident. According to NL Times, the group initially demanded approximately EUR 1 million in ransom, later lowering this to EUR 500,000. Odido publicly refused to pay, citing advice from law enforcement and cybersecurity advisors. Following this refusal, the full dataset was reportedly published on dark web forums over several days beginning March 1, 2026.
Subsequent reporting by NL Times and RTL revealed that the leaked data included records associated with Dutch government ministers, a senior intelligence official, individuals under state protection, and over 16,000 employees working in critical sectors including companies such as ASML and Philips.
An analysis by IO+ noted that the attack method was not a zero-day exploit but rather social engineering, specifically phishing and impersonation of IT staff, which was used to bypass multi-factor authentication. The publication raised questions about why a single compromised account could access records belonging to millions of customers, pointing to a failure in access segmentation and the principle of least privilege.

Timeline

  • February 7-8, 2026 — ShinyHunters gain unauthorised access to Odido's customer contact system via social engineering
  • February 12, 2026 — Odido publicly discloses the breach, confirming millions of customers affected
  • February 2026 — ShinyHunters demand EUR 1 million ransom, later reduced to EUR 500,000
  • February 2026 — Odido refuses ransom payment on advice from law enforcement
  • March 1, 2026 — Full dataset published on dark web forums
  • March 5, 2026 — Reports emerge that data of government ministers and intelligence officials is in the leaked dataset

Threat Actor Profile

ShinyHunters is a prolific threat group responsible for multiple high-profile breaches in early 2026, operating a coordinated campaign targeting SSO credentials via voice phishing.
The group's Odido attack used social engineering and impersonation of IT staff rather than technical exploits, demonstrating their focus on human-layer vulnerabilities.

Impact and Risk Assessment

For Individuals

Over 6.5 million individuals had personal data exposed including IBANs, which can be used for unauthorised direct debit fraud.
Passport and driver's licence metadata, while not scanned copies, can still be used in identity fraud and social engineering attacks.
Dutch government ministers, intelligence officials, and individuals under state protection were identified in the leaked data, creating national security concerns.

For Organisations

Over 600,000 businesses had their data exposed, potentially including employee contact details and corporate account information.
Over 16,000 employees from critical sector companies including ASML and Philips were identified in the leaked data.
Odido faces significant reputational damage and potential regulatory action under GDPR.

Regulatory Context

GDPR applies directly, with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) overseeing the response. Fines of up to 4% of annual global turnover are possible.
The exposure of government officials' data may trigger additional national security review processes.

What Should You Do?

For Individuals

  • If you are an Odido customer, monitor your bank account for unauthorised direct debit transactions, particularly given the IBAN exposure.
  • Be alert to phishing attempts that use your personal details to appear legitimate. Do not respond to unsolicited calls or messages claiming to be from Odido.
  • Consider requesting your bank to restrict direct debit authorisations on your account.

For Security Professionals

  • Review internal access controls to ensure a single compromised account cannot access records for millions of customers. Implement the principle of least privilege rigorously.
  • Evaluate the resilience of your MFA implementation against social engineering. Consider phishing-resistant methods such as FIDO2 hardware keys.
  • If your organisation's employees are Odido subscribers, assess whether their exposed personal data creates corporate security risks.

Learnings and Recommendations

This incident is a reminder that social engineering remains one of the most effective attack vectors, even against large organisations with multi-factor authentication in place. MFA on its own is not a silver bullet if it can be bypassed through well-crafted phishing or impersonation.
Organisations holding large volumes of personal data should pay close attention to internal access controls. The fact that a reportedly single point of compromise could lead to the alleged exfiltration of millions of records suggests insufficient segmentation. The principle of least privilege, where each user or role has access only to the data it absolutely needs, is not a nice-to-have. It is a fundamental control.
For companies and individuals in the supply chain of telcos, this also highlights the downstream risk. If your staff or customers are among the subscribers of a breached provider, their personal details may now be in the hands of threat actors, whether or not your own systems were involved.

References

[1] TechCrunch - Dutch phone giant Odido says millions of customers affected — https://techcrunch.com/2026/02/13/dutch-phone-giant-odido-says-millions-of-customers-affected-by-data-breach/
[2] NL Times - Hackers publish full cache of stolen data after ransom refusal — https://nltimes.nl/2026/03/01/hackers-publish-full-cache-stolen-odido-customer-data-ransom-refusal
[3] NL Times - Data of ministers, protected individuals found in breach — https://nltimes.nl/2026/03/05/data-ministers-protected-individuals-found-massive-odido-hack-affecting-millions
[4] Infosecurity Magazine - Odido Breach Impacts Millions — https://www.infosecurity-magazine.com/news/odido-breach-millions-dutch-telco/
[5] IO+ - Lessons from the Odido hack — https://ioplus.nl/en/posts/lessons-from-the-odido-hack-why-devious-hackers-are-no-excuse

Source

https://techcrunch.com/2026/02/13/dutch-phone-giant-odido-says-millions-of-customers-affected-by-data-breach/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories