Odido Data Breach: ShinyHunters Claims Responsibility for 8 Million Records
Dutch telecommunications provider Odido is facing a significant data breach after the ShinyHunters extortion gang claimed responsibility for stealing data from approximately 8 million customers. The breach, initially disclosed by Odido on February 12th, has escalated with the threat actors demanding a ransom exceeding €1 million to prevent the public release of sensitive information.
Timeline of the Breach
Odido first detected unauthorized access to its customer contact system on February 7th, 2026. The company reported the incident to the Dutch Data Protection Authority and engaged external cybersecurity experts to investigate and mitigate the damage. Initial reports from Odido indicated that approximately 6.2 million customers were affected. However, ShinyHunters now asserts the actual number is closer to 8 million, representing a total of 21 million lines of data.
What Data Was Compromised?
The exposed data varies per customer but may include:
- Full name
- Address and city of residence
- Mobile number
- Customer number
- Email address
- IBAN (bank account number)
- Date of birth
- Identification details (passport or driver’s license number and validity)
While Odido maintains that passwords, call details, location data, billing information and scans of identity documents were not compromised, ShinyHunters claims to have obtained plaintext passwords as well. These passwords reportedly relate to customer interactions with Odido’s telephone support, where customers were asked to confirm details verbally.
ShinyHunters’ Demands and Threats
ShinyHunters is pressuring Odido to pay a ransom of over €1 million by Thursday morning, threatening to leak the stolen data if their demands are not met. The group has reportedly provided proof of the breach and the stolen data on the dark web. They have warned Odido not to grow “the next headline” and urged them to “make the right decision.”
Who are ShinyHunters?
ShinyHunters is a cybercriminal group known for hacking cloud environments and extorting companies. They have previously targeted high-profile organizations including Microsoft, Ticketmaster, Jaguar, Louis Vuitton, Pornhub, and Match Group. Unlike many cybercriminal gangs, ShinyHunters appears to be primarily based in Europe, rather than Russia. The group often employs tactics like voice phishing (vishing) to gain access to systems, exploiting single sign-on (SSO) vulnerabilities at companies like Google, Microsoft, and Okta.
Odido’s Response and Customer Advice
Odido has reiterated its commitment to protecting customer data and has denied ShinyHunters’ claims regarding the theft of passwords. The company has advised customers to be vigilant for suspicious activity on their accounts and profiles. While Odido acknowledges that stolen data is not always misused, they cannot rule out the possibility of data misuse.
Recent ShinyHunters Activity
In addition to the Odido breach, ShinyHunters has claimed responsibility for recent security incidents affecting Panera Bread, Betterment, SoundCloud, Canada Goose, and other organizations. Their methods often involve exploiting vulnerabilities in OAuth 2.0 device authorization grant flows to obtain authentication tokens and hijack SSO accounts.
Sources: