INTEL

Odido Breach: How ShinyHunters Stole 6.2M Records

February 2026  ·  7 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

As of 27 February 2026, the ShinyHunters extortion group has published two million lines of stolen customer data from Dutch telecoms provider Odido and is releasing fresh batches daily. Odido has refused to pay the ransom demand of over one million euros. The Dutch Public Prosecution Service has opened a criminal investigation. And in the week since the initial breach disclosure, confirmed identity fraud cases linked to the stolen data have more than doubled.

This is not a historical case study. It is an active, real-time leak — and its mechanics are worth understanding precisely because they reflect the dominant attack pattern of 2026.

Identity fraud in real time: In the seven days following Odido's initial disclosure, the Dutch Central Identity Fraud Reporting Point (CMI) recorded 590 confirmed identity fraud cases directly attributable to the breach — more than double the weekly average. The downstream damage begins within days of a leak, not weeks.

How the Attack Was Carried Out

ShinyHunters did not breach Odido through a software zero-day or brute-force attack. They did it with a phone call.

The initial access was achieved through voice phishing (vishing) — a social engineering technique in which attackers impersonate IT support or a trusted internal party and pressure employees into surrendering their Single Sign-On (SSO) credentials and MFA codes in real time. Once authenticated, the attackers followed a now-familiar playbook:

  1. Escalated privileges within Odido's cloud environment using the stolen SSO session
  2. Moved laterally across cloud infrastructure to identify and map data repositories
  3. Established persistent access to enable continuous, staged exfiltration
  4. Added Odido to their dark web extortion portal and opened ransom negotiations

The total dataset: up to 21 million lines of records representing approximately 6.2 to 8 million customers — nearly the entire Odido customer base.

The most dangerous breach is not the one that exploits a software vulnerability. It is the one that exploits a human one. Every authentication system in the world is bypassed the moment a legitimate user hands over their credentials.

What Was Stolen

The stolen data is not limited to email addresses and phone numbers. The Odido dataset includes:

  • Full legal names, home addresses, email addresses, and dates of birth
  • IBAN bank account numbers
  • Passport and driver's licence details for a significant portion of customers
  • Sensitive internal customer service notes — including records of payment arrangements, guardian relationships, and flags marking customers with a history of account fraud attempts

That last category is particularly significant. Dutch broadcaster NOS confirmed that the notes include entries identifying which customers have a court-appointed guardian — information that allows criminals to systematically identify financially vulnerable individuals and craft targeted attacks around their specific circumstances.

What Criminals Do With This Data

The Odido dataset is not just a privacy violation. It is an operational toolkit for identity fraud. The combination of full name, address, date of birth, IBAN, and national ID document number is sufficient to:

  • Bypass KYC verification at financial institutions — real document numbers and full PII profiles can be paired with AI-generated facial imagery to defeat document-plus-selfie onboarding systems
  • Execute SIM-swap attacks — convincing a mobile carrier that a caller is the legitimate account holder, using data points only the genuine customer should know
  • Apply for credit or open bank accounts in the victim's name using legitimate document details that pass automated cross-referencing
  • Conduct targeted spear phishing — personalised attacks that reference real account details, creating false legitimacy and bypassing recipients' defences

The KYC paradox here is acute: the more complete the stolen profile, the more convincingly it can be used to defeat the very identity verification systems designed to protect against fraud. See our full analysis: How Criminals Bypass KYC Checks Using Your Leaked Data.

The SSO Single Point of Failure

The Odido attack is part of a pattern. In January and February 2026 alone, ShinyHunters used the identical vishing-to-SSO methodology against Match Group (10 million dating records from Tinder, Hinge, and OkCupid), Crunchbase, Panera Bread, and several others. The attack surface in every case was the same: a legitimate employee, an SSO system, and a convincing phone call.

SSO was designed to reduce password fatigue and centralise security management. In practice, it has created a high-value target where a single compromised credential simultaneously grants access to every integrated service — CRM platforms, cloud storage, analytics, internal databases. What was designed as a convenience became a master key.

This is the structural reality facing any organisation that holds customer data at scale: the weakest link in your security architecture is no longer the software. It is the employee who answers an unexpected call from a plausible-sounding IT contact and, under social pressure, hands over their session token.

Does Your Organisation's Exposure Profile Make It a Target?

ShinyHunters selects targets systematically. Our Corporate Exposure Audit maps what is publicly discoverable about your organisation's employee structure, technology stack, and third-party integrations — the exact intelligence attackers use to identify and approach entry points.

Request a Corporate Audit →

If You Are — Or Were — an Odido Customer

Assume your data is circulating. The practical steps to take now:

  • Contact your bank directly to add a verbal password or account note flagging any requests to change contact details or payment methods — particularly those arriving by phone
  • Enable SIM-swap protection with your mobile provider: request a port freeze or additional verification requirement for any SIM card change requests
  • Check your credit file for new account openings or enquiries you did not initiate
  • Do not trust caller ID — calls referencing your real account details are not proof of legitimacy. Hang up and call back on the official number printed on your statement
  • Monitor haveibeenpwned.com for notification of your email address appearing in new breach compilations

The Wider ShinyHunters 2026 Campaign

ShinyHunters is not new. They are the same group behind the 2024 Ticketmaster breach and the 2021 AT&T data exposure. But the 2026 campaign represents a significant operational evolution: systematic, industrial-scale vishing targeting SSO providers across hundreds of organisations simultaneously.

The criminal calculus is straightforward. Corporate investment in technical security has made software intrusion increasingly expensive. Human intrusion — specifically at the employee authentication layer — remains underinvested and undertrained. Until organisations begin treating employee social engineering resistance with the same seriousness as patch management and firewall configuration, this pattern will continue and scale.

The Odido breach is not an anomaly. It is a preview.

Further Reading: How Criminals Bypass KYC Checks Using Your Leaked Data · What Investigators See When They Search You

Part of our Credential Leaks series

Related Service

The Lockdown€995

Deep credential and leak investigation — dark web exposure, breached password pairs, account takeover risk assessment, and remediation plan.

Start The Lockdown — €995 Or Get a Free Exposure Check

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.