SYS::ONLINE
Wasteland.
Briefs1160
Issues19
SinceFeb 2026
LIVE
▣ Breach ODIDO-PHISHING-BRE 2026-07-13

Odido: ShinyHunters Phishing Breach

"Dutch telecom giant Odido has confirmed a breach that exposed data belonging to more than 6.2 million customer accounts after the cybercrime group ShinyHunters gained access through a phishing attack in February 2026…"

Dutch telecom giant Odido has confirmed a breach that exposed data belonging to more than 6.2 million customer accounts after the cybercrime group ShinyHunters gained access through a phishing attack in February 2026. On July 13, 2026, Dutch police announced strong indications that Dutch nationals were involved, and are now asking the public for help identifying the suspects. The stolen data was subsequently made public, elevating the incident from a corporate breach to a nationwide privacy event affecting a substantial share of the Netherlands' mobile subscriber base.

What Happened

In mid-February 2026, ShinyHunters broke into Odido and accessed a customer contact system holding records for roughly 6.2 million accounts. Odido is one of the largest mobile network operators in the Netherlands, formed in 2023 when T-Mobile Netherlands and Tele2 were rebranded following their acquisition by private equity firms Apax Partners and Warburg Pincus. The company serves around 8 million mobile subscribers and about 1 million fixed broadband customers under the Odido, Ben, and Simpel brands.

Odido confirmed the intrusion, stating that unauthorized access to the affected system "was terminated as quickly as possible" and that external cybersecurity experts were engaged to support the incident response. The High Tech Crime Team (THTC) of the National Investigation and Intervention Unit has been running the investigation under the direction of the National Public Prosecution Service since the breach was discovered. In an early phase of the operation, police managed to take several servers offline that the group had used to distribute the stolen data.

What Was Taken

According to Odido, the compromised customer contact system exposed a sensitive combination of personal and financial identifiers. The stolen records included:

Odido stated that the breach did not expose My Odido account passwords, call records, location data, invoice or billing details, or scans of ID documents. Even with those exclusions, the exposed dataset is a near-complete identity kit for millions of individuals. The combination of full name, address, date of birth, bank account, and ID number is precisely the material needed for high-quality identity theft and financial fraud.

Why It Matters

This breach affects a population equivalent to more than a third of the Netherlands' entire mobile market, making it one of the most significant Dutch consumer data incidents in recent memory. Because the stolen data was made public rather than merely held for extortion, the exposure is permanent and broadly available to any secondary actor. Victims cannot rotate a date of birth or passport number the way they would a password.

The involvement of ShinyHunters, a group with a long track record of large-scale data theft and public leaks, signals that telecom customer databases remain a priority target. The reported presence of Dutch nationals among the suspects also underscores that these operations are not exclusively offshore and can be pursued by domestic law enforcement. For defenders, the incident is a reminder that a single successful phish against a customer contact platform can cascade into a multimillion-record loss with national impact.

The Attack Technique

Dutch authorities attribute the initial intrusion to a phishing attack, the same low-cost, high-yield vector that continues to defeat organizations of every size. Phishing against a telecom's internal contact or CRM system typically targets employee or contractor credentials, granting an attacker legitimate access to bulk customer records without needing to exploit a software vulnerability.

Investigators noted that while these cases are complex and time-consuming, "cybercriminals are also vulnerable and leave traces behind," according to Stan Duijf, Head of Operations within the unit responsible for tackling cybercrime. Evidence was secured at multiple points in the investigation, and the takedown of the group's distribution servers suggests the actors relied on dedicated infrastructure to stage and share the exfiltrated data.

What Organizations Should Do

Sources: Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers - Security Affairs

TWEET: Odido breached by ShinyHunters. 6.2M customers' data exposed via phishing; Dutch police name local suspects. Full breakdown: https://wasteland.me/intel/odido-phishing-breach-6m-customers #CyberSecurity #ThreatIntel