ANALYSIS

All Odido Data Is Now Online. Here Is What Happens Next.

March 2026  ·  7 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

On 1 March 2026, ShinyHunters made a final decision: no ransom payment, no further negotiations. The entire Odido dataset — names, home addresses, IBANs, passport numbers, phone numbers, and account challenge words belonging to 6.2 million customers — was published online and made available to anyone who wanted it, for free.

There is a meaningful difference between data that is for sale and data that is free. While data is being sold, only buyers with money and criminal connections can access it. The moment it becomes free, the threat multiplies. Anyone can download it. Automated tools can process it at scale. The question is no longer whether criminals will use it — it is what they will do first, and in what order.

If you missed how this breach happened, read our full investigation: How ShinyHunters Stole 6.2 Million Odido Records.

Odido breach: four waves of criminal attack — phishing, social engineering, SIM swapping, and identity fraud — with real case examples and timeline

Wave 1: Phishing and Fake Messages (Days to Weeks)

The first wave begins almost immediately. Criminals take the dataset, load it into automated tools, and start sending messages. The key difference from ordinary spam is that these messages know things about you — your real name, your address, your phone number, sometimes even a partial IBAN.

In plain language: Imagine receiving a text message that addresses you by your full name, references your Odido account, and asks you to click a link to verify a payment. Because the details are accurate, it feels legitimate. This is exactly how the Odido data will be used.

After AT&T's 2024 breach of 110 million records, customers received a wave of SMS messages addressed by their real names, referencing real account details, directing them to fraudulent sites. The data makes the fake look real.

What to do: Any call or message that knows your details is not automatically trustworthy. Criminals now have those details. Hang up. Look up the real contact number yourself and call back. Never click links in unexpected messages.

Wave 2: Social Engineering and Impersonation (Weeks to Months)

The second wave is more targeted. Rather than mass messages, criminals use the data to impersonate — calling Odido's customer service pretending to be you, calling your bank using your real details, or calling you directly while posing as a bank employee or police officer.

In plain language: Social engineering means using information to manipulate a person rather than a system. A criminal who knows your name, date of birth, address, and IBAN can convince a bank helpdesk employee they are you. That employee has no reason to doubt it — every answer to their security questions is correct.

The most striking example of how quickly this works: in 2023, attackers targeted MGM Grand by calling the IT helpdesk. They had found employee details online and used them to answer identity verification questions convincingly. Within ten minutes of the call, they had been granted administrator access to MGM's systems. No hacking involved — just information used persuasively.

In the Netherlands, Europol and Eurojust coordinated arrests in December 2024 targeting a gang that used exactly this method. Eight people were arrested — four in Rotterdam, four in Belgium — for posing as police officers and bank employees, calling victims by name using verified personal details. The gang leaders operated from Rotterdam. Source: Europol

Wave 3: SIM Swapping — Losing Control of Your Phone Number (Weeks to Months)

This is the wave that concerns security experts most — and the one the Odido breach enables more completely than almost any previous Dutch leak.

In plain language: Your phone number is connected to everything. Your bank sends security codes to it. DigiD — the system used to file taxes, access healthcare records, and interact with government services — uses it for login. If a criminal convinces Odido's customer service that they are you and requests a new SIM card, your number moves to their phone. Every code sent to you goes to them instead. Your bank sees the code confirmed. Your DigiD is logged in. You only discover it when your own phone stops working.

The Odido dataset makes this particularly dangerous because it includes challenge words — the verbal security phrases Odido uses to verify your identity when you call customer service. Criminals now have your name, address, date of birth, and your challenge word. That is every answer to every security question Odido's helpdesk might ask.

SIM swap cases surged 1,055% in 2024 — bar chart showing UK Cifas data from 289 cases in 2023 to nearly 3,000 in 2024, plus Odido breach scale comparison

This is not a theoretical risk. Dutch courts have prosecuted multiple SIM swap cases in recent years:

  • Groningen, July 2021: Dutch police raided a holiday house and arrested four men — aged 17 to 28 — while they were actively conducting SIM swaps and bank helpdesk fraud on the phone with victims. Seized: €4,000 in cash, laptops, and designer clothing. (Source: Security.nl / Politie.nl)
  • Netherlands, March 2025: The Dutch Public Prosecution Service demanded 2.5-year prison sentences for three men who executed 160 SIM swaps within a single month — 99 of them over a single weekend. They purchased a stolen Dutch database from a criminal forum, then used a corrupt telecom employee to port victim numbers to their own SIM cards. Total stolen: €112,000 in cryptocurrency. (Source: Openbaar Ministerie)

The pattern extends across Europe. Europol's Operation Quinientos Dusim (Spain, 2020) arrested 12 people responsible for over 100 SIM swap attacks totalling more than €3 million — carried out using forged identity documents at mobile phone shops. Operation Smart Cash (Romania and Austria, 2020) resulted in 14 arrests for €500,000 stolen from Austrian victims through intercepted banking SMS codes withdrawn via cardless ATMs. (Source: Europol)

In the United Kingdom, a SIM swap ring targeting celebrities and musicians was broken up in 2021 following arrests in England, Scotland, Belgium, and Malta — over $100 million in cryptocurrency stolen by hijacking the phone numbers of sports stars and influencers. (Source: Europol)

UK fraud data shows how fast the problem is growing: SIM swap cases rose by 1,055% in 2024, from 289 reported cases in 2023 to nearly 3,000, according to fraud prevention service Cifas. (Source: Cifas)

DigiD risk: DigiD offers SMS login for tax filings, healthcare access, and municipal services. A SIM swap gives a criminal access to government services in your name. Switch to the DigiD app with biometric login — it is SIM-swap resistant. DigiD.nl explains how to upgrade.

Wave 4: Identity Fraud and the Long Tail (Months to Years)

Data does not stop being useful after it is used once. The Odido dataset will be combined with data from other breaches — building more complete profiles of individuals over time. Criminals sell enriched datasets. Your information circulates, gets updated, gets combined, and gets resold for years.

In plain language: The Odido data on its own is valuable. Combined with data from other Dutch breaches — delivery services, retailers, healthcare providers — it becomes a complete profile. Enough to take out a phone subscription, apply for consumer credit, or open a neobank account in your name. The Dutch government's own identity fraud guidance states that name, date of birth, and BSN — all present in the Odido dataset — are sufficient for a fraudster to request a loan or phone subscription. Traditional Dutch banks require iDIN or a video call with a physical document; neobanks that rely on automated KYC — Revolut, Bunq, N26 — are more exposed. How automated identity verification fails at scale is covered in our KYC article. You may not discover it until a debt collector contacts you about something you never signed up for.

After the 2022 Medibank breach in Australia — health insurance data for nearly 10 million people — criminals spent months inside the dataset before acting. They then contacted individual high-profile victims directly by name, threatening to expose their medical records unless they paid. The most damaging fraud did not happen at breach time. It came later, after criminals had studied who in the dataset was worth targeting.

The Netherlands is particularly exposed to this risk. According to the European Banking Authority, the Netherlands ranks highest among all EU countries for digital payment fraud volume. And only 18% of Dutch fraud victims report incidents to the police — meaning 82% of fraud goes unrecorded and unprosecuted.

What criminals can do with each piece of Odido data — full name, home address, IBAN, phone number, challenge word, and passport number mapped to fraud types

What Odido Customers Should Do Now

The breach cannot be undone. But the risk can be reduced with concrete steps taken now:

  1. Call Odido and request extra account protection. Ask them to add a secondary PIN or a written note requiring additional verification before any SIM card replacement is processed on your account.
  2. Switch DigiD to app login with biometrics. This removes the SMS verification step entirely and makes your DigiD account SIM-swap resistant. Update your login method at digid.nl.
  3. Enable transaction notifications on your banking app. Every payment and transfer should trigger an instant alert on your phone. This is your fastest early warning signal.
  4. Treat all incoming contact with suspicion, regardless of how accurate the details are. Knowing your name and IBAN is no longer proof of legitimacy — criminals have those details now. If someone calls claiming to be from Odido, your bank, or the police: hang up, find the real number yourself, and call back.
  5. Check whether your email address appears in breach databases. Visit haveibeenpwned.com to see whether your data is known to be circulating. For a deeper check that includes data broker exposure and dark web presence, we offer a free Snapshot Scan — request one here.
  6. Request a credit file check. Your credit file records any new account openings or credit enquiries made in your name. An unexpected entry is an early sign of identity fraud.

The Breach Was the Beginning, Not the End

The Odido dataset went online on 1 March 2026. It will still be in circulation in 2027 and beyond. The criminal market for personal data does not have an expiry date.

The steps above reduce your exposure but cannot eliminate it — the data is already out. The most effective long-term protection is reducing how much data exists about you in the first place: removing yourself from data broker databases, tightening what is publicly associated with your name, and minimising the digital trail that feeds the next breach.

Related: How ShinyHunters Stole 6.2 Million Odido Records · The Right to Delete Your Data Exists. Data Brokers Are Ignoring It.

Sources

Related Service

The Eraser€3,800

Manual removal from 500+ data brokers, Google search suppression, social media archive cleanup, and a 90-day re-scrub guarantee.

Start Erasure — €3,800 Or Get a Free Exposure Check

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.