ShinyHunters has confirmed a sustained data extortion campaign against Odido, the Netherlands' third-largest telecom provider with roughly 5 million mobile subscribers. Odido acknowledged that 6.2 million current and former customer records were accessed. The group is releasing up to 1 million lines of data per day in a deliberate pressure campaign after Odido refused to pay a ransom exceeding €1 million; making this one of the most operationally aggressive exfiltration campaigns seen in European telecom this year.

What Happened

ShinyHunters gained unauthorized access to Odido's customer data systems and began a staged public leak campaign after ransom negotiations collapsed. The group issued a direct statement to the company: "We gave you the chance to resolve this quietly within a few days. Instead, you chose delay and disclosure. The consequences will now be public, prolonged, and costly."

The leak has proceeded across at least three consecutive days, with the attackers releasing successive batches of data in a deliberate drip designed to maximize pressure on Odido leadership and regulators. Odido has publicly stated it will not pay. Dutch broadcaster RTL independently analyzed the second leaked batch and confirmed the authenticity and sensitivity of its contents, corroborating the company's own breach disclosure.

The group claims the full dataset covers more than 8 million individuals; approximately 2 million more than Odido has officially acknowledged.

What Was Taken

The confirmed dataset includes:

• Full names, home addresses, and phone numbers: complete physical location data
• Dates of birth: sufficient for identity verification bypass
• Bank account numbers: financial fraud enablement
• National ID numbers: passport/government ID data enabling full identity theft
• Internal customer notes: the most operationally dangerous element: call center records documenting stalking situations, domestic violence disclosures, address masking requests, and safety flags on specific accounts

RTL's analysis of the second batch identified at least 13 individuals with explicit safety-sensitive notations. At least five were flagged as active stalking victims with protected addresses. The majority of these individuals are women. Ten of the 13 had interacted with Odido within the past six months, indicating the data is current.

Why It Matters

This breach crosses a threshold that most corporate data incidents do not: it directly and immediately endangers human lives. The exposure of internal safety flags, notes that exist specifically to protect domestic violence survivors and stalking victims, transforms what would otherwise be a standard PII breach into a physical safety crisis.

For the broader threat intelligence community, several signals are significant:

1. ShinyHunters is operating with increasing sophistication in its extortion mechanics. The staged daily release is a calculated coercion technique, not opportunistic dumping. It demonstrates operational discipline and media strategy.
2. Telecom companies hold uniquely dangerous data. Internal notes, address masking records, and fraud flags create a secondary layer of sensitive data that organizations frequently fail to classify and protect at the same level as financial records.
3. The €1M demand is notably low relative to the volume of data claimed (8M+ records), suggesting either a fast-cash operation or that a larger extortion demand against Odido's corporate parent is forthcoming.
4. European telecom is an active ShinyHunters target. This follows a pattern of the group pivoting from North American targets toward EU infrastructure, which carries GDPR liability exposure that increases pressure to pay.

The Attack Technique

The initial access vector has not been publicly confirmed by Odido or Dutch authorities as of this writing. However, ShinyHunters' historical TTPs include:

• Credential stuffing and token theft against cloud-hosted customer management systems
• Third-party vendor compromise: Odido outsources significant operations and the breach may have entered via a managed service provider
• Snowflake-adjacent attacks: ShinyHunters was the primary actor behind the 2024 Snowflake customer credential campaign that affected AT&T, Ticketmaster, and others; similar cloud data warehouse access should be investigated

The inclusion of internal call center notes in the leaked data strongly suggests the attackers had read access to a CRM or customer support platform, not just a raw database export.

What Organizations Should Do

1. Audit internal notes and free-text fields in CRM/support systems immediately. This class of data is rarely classified, rarely encrypted at the field level, and almost never governed with the same rigor as structured PII. That needs to change.

2. Identify and isolate safety-flagged customer records. Any customer whose record includes domestic violence, stalking, or address protection flags should be treated as critical-sensitivity data with access logging and strict role-based controls.

3. Review third-party access to customer data systems. Map every vendor and contractor with read access to your CRM, billing, and support platforms. Revoke unused credentials. Enforce MFA on all service accounts.

4. Monitor for ShinyHunters TTPs against cloud data platforms. Check Snowflake, Azure Synapse, and similar environments for anomalous access patterns, particularly bulk exports or unusual API query volumes, over the past 30–90 days.

5. Engage regulators proactively. Under GDPR Article 33, breaches must be reported to supervisory authorities within 72 hours. Given the presence of special-category data (safety records), Article 34 direct notification to affected individuals is likely mandatory. Delayed disclosure compounds both legal exposure and harm to victims.

6. Do not pay the ransom. Odido's refusal is correct. Staged leak campaigns continue regardless of payment; and payment signals to the group that European telecoms are viable targets.

Sources

• ShinyHunters Leaks Odido Customer Data: Cybercrime and Safety Risks (2026); MDTV Now