Dutch telecom giant Odido has confirmed a breach that exposed data belonging to more than 6.2 million customer accounts after the cybercrime group ShinyHunters gained access through a phishing attack in February 2026. On July 13, 2026, Dutch police announced strong indications that Dutch nationals were involved, and are now asking the public for help identifying the suspects. The stolen data was subsequently made public, elevating the incident from a corporate breach to a nationwide privacy event affecting a substantial share of the Netherlands' mobile subscriber base.
What Happened
In mid-February 2026, ShinyHunters broke into Odido and accessed a customer contact system holding records for roughly 6.2 million accounts. Odido is one of the largest mobile network operators in the Netherlands, formed in 2023 when T-Mobile Netherlands and Tele2 were rebranded following their acquisition by private equity firms Apax Partners and Warburg Pincus. The company serves around 8 million mobile subscribers and about 1 million fixed broadband customers under the Odido, Ben, and Simpel brands.
Odido confirmed the intrusion, stating that unauthorized access to the affected system "was terminated as quickly as possible" and that external cybersecurity experts were engaged to support the incident response. The High Tech Crime Team (THTC) of the National Investigation and Intervention Unit has been running the investigation under the direction of the National Public Prosecution Service since the breach was discovered. In an early phase of the operation, police managed to take several servers offline that the group had used to distribute the stolen data.
What Was Taken
According to Odido, the compromised customer contact system exposed a sensitive combination of personal and financial identifiers. The stolen records included:
- Names and physical addresses
- Phone numbers and email addresses
- Bank account details
- Dates of birth
- Passport or national ID numbers
Odido stated that the breach did not expose My Odido account passwords, call records, location data, invoice or billing details, or scans of ID documents. Even with those exclusions, the exposed dataset is a near-complete identity kit for millions of individuals. The combination of full name, address, date of birth, bank account, and ID number is precisely the material needed for high-quality identity theft and financial fraud.
Why It Matters
This breach affects a population equivalent to more than a third of the Netherlands' entire mobile market, making it one of the most significant Dutch consumer data incidents in recent memory. Because the stolen data was made public rather than merely held for extortion, the exposure is permanent and broadly available to any secondary actor. Victims cannot rotate a date of birth or passport number the way they would a password.
The involvement of ShinyHunters, a group with a long track record of large-scale data theft and public leaks, signals that telecom customer databases remain a priority target. The reported presence of Dutch nationals among the suspects also underscores that these operations are not exclusively offshore and can be pursued by domestic law enforcement. For defenders, the incident is a reminder that a single successful phish against a customer contact platform can cascade into a multimillion-record loss with national impact.
The Attack Technique
Dutch authorities attribute the initial intrusion to a phishing attack, the same low-cost, high-yield vector that continues to defeat organizations of every size. Phishing against a telecom's internal contact or CRM system typically targets employee or contractor credentials, granting an attacker legitimate access to bulk customer records without needing to exploit a software vulnerability.
Investigators noted that while these cases are complex and time-consuming, "cybercriminals are also vulnerable and leave traces behind," according to Stan Duijf, Head of Operations within the unit responsible for tackling cybercrime. Evidence was secured at multiple points in the investigation, and the takedown of the group's distribution servers suggests the actors relied on dedicated infrastructure to stage and share the exfiltrated data.
What Organizations Should Do
- Enforce phishing-resistant multi-factor authentication (FIDO2 or hardware security keys) on all accounts with access to customer databases, prioritizing CRM and contact-management platforms.
- Apply least-privilege and just-in-time access controls so that no single compromised account can export millions of records; segment and gate bulk data access behind additional approval.
- Deploy data loss prevention and anomaly detection to flag unusual bulk queries or large exports from customer systems in near real time.
- Run continuous phishing simulation and awareness training for employees and contractors, and shorten the time to report suspicious messages.
- Encrypt or tokenize high-sensitivity fields (bank account numbers, passport and ID numbers) at rest so that a database compromise does not yield directly usable identifiers.
- Maintain an incident response retainer and pre-established law enforcement contacts to enable rapid server takedowns and evidence preservation, as demonstrated in the THTC investigation.
Sources: Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers - Security Affairs
TWEET: Odido breached by ShinyHunters. 6.2M customers' data exposed via phishing; Dutch police name local suspects. Full breakdown: https://wasteland.me/intel/odido-phishing-breach-6m-customers #CyberSecurity #ThreatIntel