On March 2, 2026 — eighteen days after Odido announced the breach — the company warned customers that a phishing campaign was already running in their name. Fraudulent emails, formatted to look like official communications, directed people to a fake compensation request form. The sender name read “Odido no reply.” The email address did not.
That warning confirmed something worth stating plainly: while Odido was still investigating the scope of the attack, criminals had already moved. The data was circulating, operational, and being used.
This article maps what the 30 days looked like — not as speculation, but as a documented sequence.
The timeline
February 12. Odido publicly acknowledged that a cyberattack had compromised customer data. The scope was described as under investigation. No specific figures were confirmed.
February 26. Odido announced it would not pay a ransom or negotiate with ShinyHunters. The decision was made following guidance from cybersecurity experts and relevant authorities. For ShinyHunters, that decision removed the last reason to keep the data private.
March 1. ShinyHunters published the full dataset. Approximately 4.5 million records — names, home addresses, birth dates, phone numbers, IBAN numbers, challenge words, and in some cases passport details — entered open circulation. The window for containment closed.
March 2. The phishing campaign was confirmed active. Odido warned customers to verify sender addresses and ignore any message requesting a form submission or personal details.
March 10. Odido updated its breach page to state that the investigation is still identifying affected customers. One month in, the scope continues to expand.
The last entry matters. When a company announces that it is still finding new victims at the one-month mark, it means that the group of people who assume they are unaffected has not yet been fully mapped. An absence of notification is not confirmation of safety.
The four waves
The Odido dataset is not a single threat. It is a stack of enablement — each data field opens a different attack vector, and each wave of criminal activity draws on a different combination. We mapped this structure in detail when the dataset was first published: what each field enables and what the downstream exposure looks like. What follows is where each wave stands at the 30-day mark.
Phishing
The first wave runs on name, email address, and the psychological weight of a known breach. Criminals do not need technical data to make phishing effective — they need a plausible reason to contact someone and an action to request. The Odido breach provided both. The March 2 phishing campaign confirmed Wave 1 was operational within the first three weeks. It will continue. The template has been built; sending it costs nothing.
Vishing and SIM swap
This is where the Odido dataset becomes more dangerous than most breach data. Typical phishing relies on email. Vishing adds a phone call — and the Odido records include phone numbers, home addresses, and challenge words: the exact combination carriers use to verify identity before porting a number.
A SIM swap executed with a confirmed name, address, and challenge word succeeds at a significantly higher rate than one built on guesswork. The caller does not need to improvise. The data provides the script. AI voice synthesis removes the last remaining friction — an operator with a convincing Dutch accent is no longer a constraint.
This is the methodology ShinyHunters has refined across multiple campaigns. We documented it in the context of identity verification bypass: how voice cloning and real-time interception defeated the controls everyone trusted. The Odido dataset is purpose-built for exactly this attack pattern. At 30 days, Wave 2 is the acute risk.
Identity fraud
IBAN numbers, home addresses, and identity document details enable a category of fraud that takes longer to execute but is significantly harder to reverse. Credit applications, utility fraud, and financial account impersonation all draw on this combination. Wave 3 is beginning for some portion of the 4.5 million records. Stolen identity data does not move through a single pipeline — it is packaged, sold, and worked through over weeks and months.
The IBAN data is particularly significant in the Dutch context. Financial processes rely on IBAN as an identifier, not only as a payment detail. Combined with name and address, it anchors an identity claim across multiple institutions simultaneously.
Long-tail account takeover
Breach data does not expire at the end of a news cycle. Credentials and personal identifiers sit in databases, resold, recombined, and tested against new targets for months and sometimes years. Challenge words are especially persistent — most people set them once and do not change them. An operator working the Odido dataset in six months will find the same challenge words still active against the same accounts. This is the wave most people do not anticipate and do not prepare for.
Where the risk stands now
Wave 1 is confirmed and ongoing. Wave 2 is the acute risk — the SIM swap and vishing window peaks between weeks two and eight, when the data is fresh and targets have not yet taken protective action. Wave 3 has begun for a percentage of the 4.5 million records. Wave 4 is being loaded into the infrastructure that will execute it over the months ahead.
Odido’s investigation is still open. New customers are still being identified as affected. The assumption that silence from Odido means safety is not supported by what the investigation has produced so far.
The practical question is not whether the data is in circulation. It is. The question is what specific exposure an individual or organisation carries — and what is still preventable at this point in the timeline.