Odido hacked: 6.5M people – this is the real risk

The Odido hack at a glance:

• Scope: over 6.5 million unique individuals (including many former customers) and 600,000 companies affected
• Perpetrators: the cybercriminal hacker group ShinyHunters
• Cause: phishing of customer service employees, followed by telephone social engineering
• Leaked data: names, addresses, email addresses, phone numbers, IBAN, ID numbers (passports/driving licenses), BSN, and internal notes
• Safe and not in the hack: passwords, call data, and login details of 'My Odido' were not affected.
• Greatest risk: identity fraud and targeted phishing (social engineering)

Timeline of escalation

UPDATE February 26: after Odido officially decided not to pay, the first private data of hundreds of thousands of Dutch citizens was published on the dark web on February 26. While the investigation by the Public Prosecution Service (OM) is ongoing, the threat of a 'leak' after a phase of active blackmail has now turned into a large-scale, step-by-step data dump.

UPDATE February 27: the situation escalates further. The hacker group ShinyHunters has released a second data dump online with the private data of 649,000 (former) customers and about 340,000 bank account numbers (IBAN). Researchers have also confirmed that, despite earlier denials, BSN data has indeed been found in the dump – as well as shocking data about vulnerable groups (such as stalking victims), whose physical safety is now directly at stake. Affected individuals can now check via Have I Been Pwned whether their email address is in the first dump. At the same time, ethical hacker Sijmen Ruwhof has started a crowdfunding campaign in a last-ditch effort to raise the ransom and stop further publications.

UPDATE February 28: the hackers have kept their word and this morning released the third batch of 1 million records online. This confirms the enormous scale of the identity risk: in this new batch, 365,000 document numbers of driving licenses, 245,000 of European identity cards, and 180,000 of passports have been found.

Update March 1 (the endgame): the blackmail phase is over. The hackers have stopped the "salami tactic" and published the complete dataset of an estimated 21 million records (full_odido_shinyhunters) online. This means the private data of over 6.5 million unique individuals and 600,000 companies is definitively on the street. The dump contains more than 5 million unique ID numbers (passports, driving licenses, and even diplomatic papers), 71,000 email addresses of administrators, and 44,000 internal customer notes with very sensitive information about, among other things, stalking cases (customers who are being stalked), fraud, and behavior. The total database has thus become the public property of the criminal circuit.

Update March 25 (subsequent fraud in practice): the first large-scale 'bycatch fraud' is reported. Scammers are now using the leaked dataset for extremely credible CJIB phishing. By quoting your real name and IBAN, they try to force you under high time pressure (pay within 24 hours) to pay a fake traffic fine via email. Remember: CJIB only sends messages by post.

TL;DR: the Odido hack in essence

• What happened: over the weekend of February 7–8, hackers gained unauthorized access to a customer contact system (the operational service remained intact). After Odido refused to pay a demanded amount of seven figures (in millions of euros) to the hacker group ShinyHunters, the criminals retaliated with a "salami tactic": gradually publishing 1 million lines of data per day on the dark web to maximize pressure. Despite a fundraising campaign by ethical hacker Sijmen Ruwhof to stop the blackmail, the situation escalated. On March 1, the salami tactic was halted, and the hackers released the entire haul of 21 million lines online in one go, resulting in the private data of over 6.5 million unique individuals and 600,000 companies falling into criminal hands.
• The scope and investigation: where sources initially deemed a complete data breach of the file and full data download of millions of records as "unlikely", the exact scope and publication since March 1 is no longer a question mark: the complete database of 21 million records (over 6.5 million unique individuals) is now on the street on the dark web. The ongoing investigation by the AP and the OM is now focused on the serious violation of the retention period, as data older than 10 years was also found in the affected systems.
• The scale: although Odido initially spoke of 6.2 million accounts (where accounts do not equate to individuals and one person may have multiple accounts), the claims of the attackers in the following days rose to 8 to even more than 10 million (former) customers. With the final dump of March 1, it has been confirmed that it actually concerns over 6.5 million unique individuals and 600,000 companies – significantly more than the initial estimate. This affects both current and former customers, including the subsidiary brand Ben.
• Leaked data (definitively confirmed): in addition to NAW data, customer numbers, and IBANs, it has been shown that, despite earlier denials, there are indeed citizen service numbers (BSN) in the data, among others via old ZZP VAT numbers. The complete dump has definitively revealed the enormous scope of the identity risk: there are now 5 million unique ID numbers including validity (passports/driving licenses) on the street, as well as 71,000 email addresses of administrators and 44,000 internal customer notes with very sensitive information (for example, about payment behavior or stalking and domestic violence).
• Not leaked: passwords, call data, location data, invoice data, and scans of ID documents.
• What you should do now: do not click on links in unexpected messages, turn on bank alerts, and apply the call-back rule (hang up → call back yourself via the official number). Affected individuals can also take advantage of an offer for two years of free digital protection (F-Secure Total) through Odido. A legitimate mass claim has now been initiated by interest group Consumers United in Court (CUIC) where you can join.
• Check your data: the complete leaked dataset is now safely searchable via Have I Been Pwned, where customers can check if their email address is in the dump. Warning: the police report that downloading or possessing this dataset is punishable as data healing (art. 138c Penal Code). Use only legal, official tools.
• For companies: consider the contact center/CRM as a crown jewel – a lot of personal data, many roles, many integrations mean a high risk. The confirmed attack route (phishing followed by a fraudulent ICT call) underscores once again that phishing-resistant MFA is essential to protect the vulnerable human factor.

The incident in short: what we now know

Over the weekend of February 7–8, unauthorized access was gained to a customer contact system/contact center environment used by Odido. Customer data was downloaded from that system (data exfiltration). Odido reported that operational services were not affected: customers could continue to call, use the internet, and watch TV. How large the compromised set is and which accounts are included was initially still under investigation. The blackmail phase has now ended: on March 1, 2026, the complete dataset of an estimated 21 million records was published. This has put an end to all speculation and uncertainty about the scale; the haul is definitively on the street.

Odido claims to have terminated unauthorized access as quickly as possible and is working with external cybersecurity experts for investigation and additional measures. The incident has been reported to the Data Protection Authority (AP); reports indicate that the AP is also monitoring Odido's follow-up steps and information provision.

New clues about the access path

Figure 1: The suspected attack route. Sources indicate that attackers gained access to the customer system via phishing of login credentials and then telephone 'social engineering' at an employee to approve a fraudulent login attempt, thereby bypassing an extra security step – the multi-factor authentication (MFA).

Applying multi-factor authentication (MFA) is the standard, but this sophisticated method shows that even technical barriers can be breached through human manipulation. The attackers most likely used a technique known as the OAuth 2.0 Device Authorization Grant flow (also known as Consent Phishing) to obtain a legitimate access token without needing physical access to the employee's device.

The same reporting indicates that the access ultimately led to an environment with customer files (where "scraping", automated reading, was used) – and this explains why the service could continue while the data layer was indeed affected.

Involved customers have been personally informed via email (sender: info@mail.odido.nl) or SMS. Although this process took up to 48 hours due to the scale, that period has now passed. Note that a received message should be seen as a signal, not as proof: senders and numbers are easily spoofed. Therefore, never click on links and always verify through the official app or site. It has now been confirmed that the warning concerns 6.2 million accounts, including both current and former customers.

Why even former customers (after 10 years) are affected

A shocking detail that only emerged later is the presence of data from former customers. Although the legal retention period for this type of data is usually two years, people who have been with the provider for more than a decade still received a notification. This leak also affecting many former customers, according to reports from, among others, the FD and Tweakers, is due to a violation of the retention period: customer data that should have been deleted after two years according to its own rules was still present in the affected systems. RTL News' investigation has now confirmed that Odido retained the data of at least 44,000 former customers longer than the promised two years. This explains why people who have been gone for many years still received a notification. This indicates a serious failure in retention period compliance. This fact has now become a central part of the criminal investigation by the Public Prosecution Service and the Data Protection Authority.

Moreover, the AP has now explicitly called on customers not to make new reports about this specific incident. The supervisor indicates that it already has sufficient information for the ongoing investigation.

Services continuing ≠ no risk: the damage shifts to trust, fraud attempts, and support pressure. 

Reports also state that the attackers themselves have indicated that they have the data in their possession. The attackers initially demanded an amount of "seven figures" (in the millions of euros) to keep the stolen data secret. However, Odido has officially decided not to give in to this blackmail and will not pay. In response, the hackers began publishing the stolen customer data step by step on February 26.

Strategic choice: no ransom, but a data dump

The decision not to pay is not a bluff, but a conscious strategy. On the advice of the police and cybersecurity experts, Odido chooses to ignore the blackmail. The company refuses to feed the criminal business model, knowing that a payment to groups like ShinyHunters is never a guarantee that the data will actually be deleted or not misused at a later time. Even if this means that the data is now published for the time being.

Figure 2: principles over extortion. By following the police's advice and not paying, Odido chooses a hard line against cybercrime, which simultaneously became the direct catalyst for the step-by-step data dump of millions (former customers) whose data was gradually placed online as direct retaliation.

Update February 27: second dump and crowdfunding

The hackers have kept their word. This morning (February 27), a second batch of customer data was published. This second part specifically concerns the private data of 649,000 customers and about 340,000 bank account numbers (IBAN). The ongoing publications have led to a remarkable action in the security community: ethical hacker Sijmen Ruwhof has started a crowdfunding campaign today. He hopes to raise 250,000 euros in a last-ditch effort to pay off the hackers and stop further dissemination of private data of Dutch citizens.

Update February 28: third dump and confirmation of ID numbers

The hackers have kept their word and today released a third batch of 1 million records online. This confirms the "salami tactic" – where each day the provider does not pay, a new part of the haul is published – for the third day in a row, and the count stands at 3 million leaked records. In this new batch, the enormous scale of the identity risk has been definitively confirmed: there are now 365,000 document numbers of driving licenses, 245,000 of European identity cards, and 180,000 of passports found in the leaked data.

Update March 1: publication of the complete dataset reveals millions of data, IDs, and sensitive notes

The hackers have abandoned their plan to release the data in parts and have published the remaining customer data in one go, claiming it was due to unspecified "recent developments". An analysis by NOS makes the exact damage clear: the set contains data from over 6.5 million individuals and 600,000 companies, including just over 5 million numbers of unique ID documents (driving licenses, passports, and residence papers of diplomats). Additionally, the dump contains very specific and sensitive information: for 71,000 people, the email address of a guardian or helper is listed, and internal customer service notes (for example, about stalking, fraud, or misconduct) have been leaked for over 44,000 customers. Notably, the criminals indicate that they have withheld part of the data "for their own use".

The aftermath in practice: personalized CJIB fraud

The public dataset translates into refined phishing by the end of March. Scammers create emails about 'traffic fines' from the CJIB, credible by quoting leaked NAW data and IBANs. With threats of doubling the fine amount if not paid within 24 hours, they force a hasty click. This proves: the stolen data now serves as a prop for social engineering.

Figure 3: example of the CJIB scam in practice (March 2026). Note the aggressive pressure buildup and the fabricated time pressure (pay within 24 hours). The email shows a fabricated amount increase (from €125 to €250) and the absurd threat of point deduction on the driving license. Crucial: the real CJIB only demands payment by physical mail; always log in for status checks and verification on the official website with DigiD.

Nuance: 6.2 million accounts ≠ 6.2 million people

That 6.2 million is a file of accounts. One person can appear multiple times (for example, multiple services/contracts), which means there can be duplicates in the dataset. This does not make the scale "less serious", but it is important for how you interpret the numbers.

• Update February 25: the hacker group ShinyHunters now claims to possess data from 8 million users.
• Update February 26: The hackers' claim has further increased; they now claim to have data from more than 10 million (former) customers.
• Update March 1 (final scale): with the publication of the complete dataset of 21 million records, the uncertainty about the scale has been removed. Analysis of the raw data shows that it concerns approximately 6.5 million unique individuals and 600,000 business accounts. This results in the number of victims being slightly higher than the 6.2 million that Odido initially reported, but significantly lower than the 10 million that the hackers claimed.

Whether it concerns the previously claimed 6.2 million accounts, the hackers' claim of 10 million, or the now confirmed 6.5 million unique individuals, the fact remains: even if you remove the duplicate accounts, we are talking about millions of unique data of Dutch citizens whose identity and bank details are in the dataset. The risk of mass fraud remains unprecedentedly high.

What we still do not know (and why that is normal)

A few crucial details have not yet been publicly confirmed by Odido – and that is common in ongoing investigations. At the same time, there is now more context about the suspected route in: sources point to phishing at customer service employees and telephone social engineering to bypass an extra security step (MFA/2FA); after that, they would have collected customer data from the customer environment automatically. Odido itself has not publicly confirmed that route. Furthermore, there is actually only one thing that remains truly "open": the exact impact per customer (which specific fields were leaked to whom). That is why you see formulations like "possibly" and "varies per customer". In incident response, that is often the fairest form: better nuance than retracting later.

This chain (phish → "ICT" call → MFA approval) also explains the aftermath: after that, it is less about technique, and more about multi-channel pressure (mail/SMS/phone/WhatsApp) where real details are used to make you act faster.

What remains open:

• the precise access path as officially confirmed (versus what sources/reporting reconstruct).
• How long attackers had access (dwell time) – and thus how much time they had to scrape/export data undisturbed to reach the 21 million stolen lines.
• The legal and financial settlement: the ongoing investigation by the AP and the OM into the exceeded retention periods of over 10 years and the eventual height of the fines.
• The exact impact per customer: Odido is now informing affected individuals about which specific fields per account (varies) have been leaked.
• The compensation and protection: how Odido will minimize the proven risks for vulnerable groups (such as stalking victims and individuals under guardianship) and whether any compensations will be offered now that their data is definitively public.

Why this leak is mainly about trust

Figure 4: The reality of a system breach. Although the technical breach occurred in a contact system, the real damage shifts directly to the trust of millions of customers whose data has been compromised by attackers.

You do not need to see a "Hollywood hack" to be at risk in such incidents. It often starts with something that sounds suspiciously normal: a call that feels like customer service. Someone who mentions your name and address, who casually drops your customer number. And who has just enough details to make you think: okay, they are really in my file.

And that is exactly the uncomfortable aspect of the Odido incident. The service can continue to operate – calling, using the internet, watching TV – while the real battle shifts to something human: trust. To how quickly you are inclined to click a link, to "fix" a payment, or to confirm a verification step because the other person sounds so convincing.

It starts, as it often does with major data breaches, not with "the network is down", but with something quieter – and precisely because of that dangerous: unauthorized access to a customer contact system/contact center environment and subsequently data exfiltration (downloading customer data). The service continued to operate: customers could continue to call, use the internet, and watch TV. That sounds reassuring, but mainly says something about the operational continuity – not about the impact on trust, fraud risk, and support pressure.

What has leaked in this Odido data breach (confirmed) – and what has not

Figure 5: What has been taken? An overview of the confirmed data points. Note: although your bank account is not directly accessible, the combination of the data on the left makes fraud very credible.

This leak is not a password leak. It is more of an identity leak: enough "real" data to fake trust. And that determines what type of fraud you will mainly see in the coming weeks.

As soon as people hear that no password has been leaked, there is often a point where many people inadvertently drop out ("okay, some data is gone"), while the other data also influences what criminals can do with it. The core: there are no passwords or call/location data leaked, but the set does contain enough identity signals to approach someone very credibly.

A) Identity and contact details

• Full name
• Address/city
• Mobile number
• Email address
• Date of birth
• Customer number

B) Financial data

• IBAN (account number)

C) Identification data (confirmed)

• ID number (ID/passport/driving license) + validity/expiration date: the complete dataset of over 5 million unique document numbers has been on the street since March 1 (including diplomatic residence papers).
• BSN (Citizen Service Number): despite earlier denials from Odido, citizen service numbers are present in the leaked dataset. This affects a large group of (former) self-employed individuals whose BSN was still in the VAT field, but the presence of BSN data in the dump seems to be broader than just this group. This significantly increases the risk of identity fraud for all involved.

D) Behavioral and payment insight

• Financial notes: notes about payment behavior (e.g., arrears, debts, or BKR status).
• Service and behavior notes: internal notes about over 44,000 customers are on the street regarding, among other things, fraud investigations or behavior in stores ("customer reacts aggressively in the store") or with online customer service ("difficult conversation").

E) Authentication and vulnerable groups

• Password_c: 'code words' for telephone verification were stored unencrypted (plaintext) in the system. Although blocked by Odido, they are worth their weight in gold for scammers to gain your trust.
• Assistance: for 71,000 accounts, the email address of a guardian or helper has been leaked, creating a specific risk of targeted guardianship fraud.
• Safety files: the dataset contains very sensitive information about individuals whose address had to remain secret for safety reasons, such as in cases of stalking or domestic violence.

Not involved (explicitly mentioned)

• Passwords of 'My Odido'
• Call data (who/when)
• Location data
• Invoice data
• Scans of identity documents

This "varies per customer" nuance is important: the exact combination may vary. But that is why a risk approach is useful: the more elements from A/B/C/D/E come together, the more convincing a scammer can sound.

Editorial hygiene: there are also broader claims circulating online about "ID documents". Since February 12, it has been confirmed: no scans of identity documents. While in the first data dumps of February 26 and 27, document numbers of passports or driving licenses seemed to be missing, it has now been definitively confirmed in the dump of February 28 that the ID numbers + validity are indeed massively on the street. This difference is essential, as it determines whether you should think of "document copies" (which is not the case so far) or "proof-like characteristics" (which is indeed the case) that primarily strengthen social engineering.

Update February 27 (BSN revelation): where Odido initially explicitly stated that no citizen service numbers (BSN) were leaked, analyses of the first data dumps by RTL News and others show that these are indeed present. This is a critical change in the threat landscape; a BSN in combination with bank and address details is for criminals the 'holy grail' for identity fraud. The BSNs have so far mainly been found among (former) self-employed individuals, for whom the BSN was part of the VAT number until 2020.

Brand nuance: sources and updates in such incidents often do not align in timing and wording. Where Ben is explicitly mentioned as part of the hack, the provider denies the impact on Simpel. However, customers report via Have I Been Pwned that their data is in the dump, possibly dating from the Simpel acquisition in 2020. The provider does not explain how this delineation has been technically established; since the investigation is still ongoing, the scope per brand may be refined in the coming time.

Aside from that: scammers often ride along on big news – so also outside the (currently) delineated group, you may see phishing, smishing, and fake helpdesk calls.

Why this data mix is such a problem (without panic, but clear)

Many data breaches are annoying because they affect privacy. This one is particularly sensitive because it does something else: it increases credibility of social engineering.

Customer number + NAW: "I see your file" becomes really credible

If someone has your name, address, and customer number, that person can conduct a conversation as if they are already "in your account". That is exactly the kind of detail that makes people think: okay, this must be true.

IBAN: money framing becomes plausible

With an IBAN, it becomes easier to build a story around "payment", "collection", "refund", "administrative check", or "invoice". Not because they can directly empty your bank account – but because it drives behavior: you are more likely to act quickly when it seems to be about money.

IBAN is not a key – it is a credibility enhancer

Bank nuance (NVB): an IBAN in such a dataset does not mean someone can log in to your banking app or online banking. Your account is therefore not "open" because your account number is known. The real gain for criminals lies in credibility: bank helpdesk fraud, invoice fraud, and payment pressure become more convincing when they can quote your name/address/IBAN.

And what about collections? Even there, banks say: that is usually not the quick route. For SEPA collections, you can generally have it reversed up to 8 weeks after a deduction, and for an incorrect/unauthorized collection, even up to 13 months. Therefore, criminals often choose direct payment tricks and telephone pressure over "quiet" collections.

ID number + validity: "verification" suddenly sounds legitimate

An ID number with an expiration date feels like something that only "real authorities" would know. Criminals use that to apply pressure: "we need to re-confirm your identity, otherwise…" The risk lies in the next step: getting you to click, log in to a fake portal, or agree to something you did not want.

Behavior notes: the ultimate "inside information"

This may be the most dangerous part of the leak. The customer system contains not only NAW data but also super-sensitive information about your payment history – such as whether bills were paid on time and whether there are debts or a BKR registration. The set also contains personal internal notes from customer service, for example, whether someone was aggressive on the phone or caused disturbances in the store.

If a scammer knows that you had a tough conversation at an Odido point last month, they can perfectly pose as an employee who wants to discuss "your file and the notes made" – after which they take your 'data' to verify. The threshold to believe such a person is negligible; how can a stranger know exactly what was discussed in the store? This makes vulnerable groups (such as people with debts or the elderly) an extra attractive target for blackmail. Never give your password or login or verification code to give them access.

Impact on vulnerable groups confirmed

After the data dumps at the end of February and earlier NOS revelations about an investigation into a given dataset of 10,000 Odido customers on February 25, the risk appears to be greater than expected. Three categories of very sensitive information have been found that exacerbate the impact of this leak:

• Data of victims of stalking and domestic violence: in the second dump, data has been found of individuals whose address and phone number had to remain secret for safety reasons, such as due to stalking or domestic violence. Now that this information is on the street, their physical safety is directly at stake. This goes beyond the definition of a standard data breach and turns the hack for this group into an acute physical safety risk.
• Notes about people under guardianship: NOS research shows that for some customers it was noted that they have a guardian and are therefore under curatorship, including the name of the guardian. This makes this vulnerable group an easy target for very credible fraud.
• Personal circumstances: the notes also contain details about "difficult periods", payment arrears, or incidents where customers were removed from a store.

It is important to understand this well: the aftermath is often multi-channel. Not one phishing email, but a combination: email + SMS + WhatsApp + phone (also known as smishing and vishing), where each message contains just enough real details to make the next channel credible. This type of data mix thus works primarily as groundwork for fraud, not as "directly emptying your bank account".

See it as a credential-less account takeover attempt: not via passwords, but via persuasion and OTP codes.

3 Phishing routes you will likely see in the coming weeks

Figure 6: Anatomy of a phishing SMS. This is how scammers use the leaked data (such as your real name and customer number) in combination with psychological pressure and fake links to get you to click.

No ready-made scripts, but scenarios + red flags:

1. "Payment open / collection failed"
   • Red flag: time pressure ("today", "last chance"), link, threat ("closure", "costs").
2. "Refund / IBAN check"
   • Red flag: you need to "confirm" via a link, or you need to "verify" your bank details.
3. "Verify identity / security check"
   • Red flag: asking for ID details, codes, or logging in via a link outside the official app/site.

Always the same countermeasure: do not respond in the channel they choose. You choose the channel, not them: go to your app/site yourself, call back via the official number.

And now the bridge to the practical part: if this is the attack vector (persuasion + channel choice), then your defense is also behavior: you determine the channel.

What you should do now as a customer (order of impact)

If you only do one thing today, let it be this: train the reflex 'do not click → check yourself'. This prevents most of the misery, even if you are not sure whether your data was in a leaked set.

Why that hard reflex is so crucial right now? Recent research into digital resilience shows that overconfidence poses a significant risk; for example, 9 out of 10 Dutch people do not always recognize online fraud, no matter how confident they are in their own vigilance.

1) Do not click anywhere – go to the official environment yourself

If you receive an email/SMS about this incident, or about payments/checks? Do not open via the link. Go to your provider's environment or banking app by opening it manually.

2) Turn on bank notifications (alerts)

If your bank supports it: notifications for transactions, limits, and (where possible) changes such as new beneficiaries. The goal is not "panic", but quick detection if something strange happens.

Bank check: IBAN leaked ≠ someone can access your bank

Banks emphasize that this data does not provide access to your banking app or online banking. The "IBAN risk" is purely about credible fraud (payment pressure, fake helpdesk). Also, automatic collections are rarely a quick route for criminals: a SEPA collection can usually be reversed up to 8 weeks after deduction, and for an unauthorized deduction, you have 13 months to report this and have it reversed.

3) Be extra vigilant for "payment pressure" and "verification pressure"

The common thread in successful fraud is emotion: act now. Anything that pressures you to "pay now" or "verify now": extra distrust.

4) Checking the sender is allowed, but is never proof

An email can look perfect. Checking the sender/domain is useful, but criminals can also use convincing senders through detours. See it as a signal, not as proof. The provider lists info@mail.odido.nl as the sender for notifications; consider that a hint, not hard evidence.

5) Changing your password is possible, but not because it has been leaked

The shared information states that passwords are not involved. However, you can always hygienically clean your password (especially if you have reuse). But it is not an "emergency measure" due to this leak.

6) Unexpected call? Apply the call-back rule

Figure 7: The 'Call-back rule' in action. Your main defense against telephone fraud. Do not trust the incoming call if data or action is requested, and take the initiative via an official channel.

Are you called by "Odido" or "your bank"?

• Hang up.
• Do not use the call back button in SMS.
• Look up the official number on the site or app: For safety, use the known numbers: 0800-0092 (Private) or 0800-7112 (Business).
• Call back yourself via that number.

This is one of the most effective anti-fraud habits there is.

7) Check your BKR registration

Because ID numbers and expiration dates have been leaked, scammers may try to apply for credit in your name. You can request your BKR overview for free once a year to check if there are any unknown loans in your name.

8) Activate your free security

Odido offers affected individuals two years of free F-Secure Total. This package includes identity monitoring that alerts you if your data appears on the dark web. Use the activation code from the official email (sender: info@mail.odido.nl), but for safety, go directly to the official Odido site and do not click on links in the email itself.

9) Check your data via Have I Been Pwned & the police's 'Check Your Hack'

After security researchers first processed 1 million records, the complete dataset of 21 million records is now safely searchable via the warning site Have I Been Pwned. In addition to Have I Been Pwned, the National Police offers the official platform 'Check Your Hack': this is also a safe and legal tool that allows citizens to check if their data has fallen into criminal hands. It is strongly recommended to fill in your email address on both; this way, you will know immediately if your data is in the final dump, regardless of communication from Odido itself.

10) Do not download the data yourself

The police warns that searching for or downloading the datasets on the dark web is punishable as data healing (art. 138c Penal Code). Therefore, use only safe, legal tools like Have I Been Pwned to check your status.

11) Sign up for the legitimate mass claim

Since there is no official compensation scheme from the provider or government, a legitimate external procedure has been initiated by interest group Consumers United in Court (CUIC). You can now sign up for this mass claim.

12) Beware of false damage claims

Be alert for websites or messages that promise high compensation (such as €1,500) on behalf of "legal collectives" . Since the leak, this has become a known form of follow-up phishing to extract private data again. Always check through your own research whether you are on the official CUIC website and never fill in private data via unexpected links.

Where to report suspicious messages or damage?

If you receive a suspicious SMS/email/WhatsApp/call: take a screenshot (or note time/number), click on nothing, ensure you block these spam messages directly on your phone, and report it to the Fraud Helpdesk (so that patterns become visible). If you see concrete damage (unknown transactions, new beneficiaries, account changes): call your bank via the official number and have it blocked/investigation started immediately. If it concerns your telecom account: contact your provider via the official app/site.

Have you unexpectedly become a victim of a data breach? Here’s what you can do according to the Data Protection Authority.

The 'Golden Rule': what you never give

No passwords, no PIN codes, no login codes (not even "to cancel"), and no identity details via phone or link.

Extra red flag: disposable email addresses in verification SMS

If you receive a verification code in which a username/email address appears that you do not recognize (for example, a disposable or "disposable" mail domain like denipl.com)? Assume that someone is trying to link or log into an account. Never share the code, click on nothing, and check yourself via the official app/site whether your account details are correct.

If you accidentally clicked on a suspicious link and suspect an infection on your phone, take immediate action and read here how to quickly remove malware.

Security reality check: why contact center/CRM is a crown jewel

For security readers, the setting is almost more important than the brand. A customer contact system is often a perfect storm:

• It contains a lot of PII (personal data) in one place.
• It has many users/roles (customer service, supervisors, partners).
• It is connected to many integrations (CRM, ticketing, email, marketing tools, identity providers).
• And it is built for speed and service, not for "minimal data access".

Figure 8: CRM systems as digital crown jewels. Modern customer contact environments are a sought-after target because they combine enormous amounts of personal data with deep technical integrations in one place.

This "perfect storm" is not only technical but also human: if attackers manage to get employees to approve an extra security step through phishing and a credible phone call, you suddenly have access to exactly the place where service and speed are more important than friction. That is also why contact center roles, device trust, and phishing-resistant MFA (and especially: no approval flow via phone) are so decisive: you are not only protecting a system but also the decision moment of the employee.

This chain (phish + 'ICT' call + MFA approval) shows exactly why contact center accounts are such an attractive target: one human agreement can break the technical barrier, after which scraping/export suddenly becomes scalable.

That makes "are the services still running?" a too narrow question. The real impact lies in: reputation, phishing waves, fraud attempts, support load, compliance, and recovery costs.

What "many integrations" often means in practice: more accounts, more permission sets, more tokens/sessions, and more paths to export data (reports, APIs, bulk queries). Each additional link is an extra place where identity & access management (IAM) can go wrong – and each additional role is an extra chance for "too broad" rights.

5 questions every CISO is asking now

1. What was the initial access path (credentials, phishing, third party, something else)?
2. Least privilege: who could export/download on a large scale?
3. Detection: how quickly was it seen, and what was the dwell time?
4. Exfiltration detection/logging: what is visible in outgoing traffic and downloads?
5. Segmentation/isolation: why could this system disclose so much customer data at once?

You do not need to guess the answers as an outsider – but this is the checklist with which you assess whether an organization treats such systems as "crown jewels".

That the human factor remains the weakest link in such attacks forces organizations to take a more active defense; thus, simulated phishing has become an indispensable training in 2026 to structurally arm customer service and IT staff against AI-driven social engineering.

Direct action points for IT teams and CISOs

• Check export rights and bulk query permissions (who can see "everything"?)
• Increase monitoring on exfil signals (outbound spikes, unusual exports, new API tokens)
• Run a "least privilege" review on contact center/CRM roles + third-party accounts

Communication & incident response: what works, what grates

What works well in information provision: one central place with updates, a clear "yes/no" list, and expectation management about the notifications. This prevents customers from guessing en masse or filling in scenarios themselves.

Where it grates for many: "possibly" and "varies per customer" feels vague. But in incident response, that is often honest: you can only be 100% firm once you have validated the impact per record well. Therefore, it helps to think in risk levels (A/B/C/D/E): the more categories come together, the higher the chance of convincing social engineering.

Good incident communication is not only "what has leaked", but especially "what reflex should I have as a customer". And that reflex is almost always the same in 2026: do not click, check yourself, call back.

Q&A about the data breach

Have passwords been leaked? No – passwords of 'My Odido' are not involved. Although login passwords are safe, some customers' 'code words' under the field "password_c" have been leaked. This is not a login password, but a code word used for verification during telephone contact. It shows that sensitive authentication data was stored unencrypted (in plaintext) in the system; code words that people also change less often than a regular password. Odido has now completely blocked this system, making the codes no longer usable for changes with the provider. However, be aware: a scammer can use this code word to gain your trust over the phone by quoting it flawlessly.

Can I safely continue to use the internet/call/watch TV? The service continued; this incident concerns customer data from a contact system, not taking down the network.

What if I do not receive an email/SMS? After an earlier generic email, Odido started informing individual victims in mid-March about which specific data of theirs has been leaked via email (sender email: info@mail.odido.nl – also check your spam) or via SMS. The period of the first broad information round has now passed. If you have not received anything so far, that is an indication that you are not part of the approached group. However, remain alert: 'freeloader phishing' can still reach you now that the news is widely circulating. If you receive messages that tap into this now? Treat these as very suspicious, click on nothing, and always check your account status via the official app or site.

Is the data already online? Yes. Because Odido refused to pay the ransom after ShinyHunters threatened to publish the data, ShinyHunters began stepwise publications on the dark web on February 26. The first dumps contained direct private data (names, addresses, 275,000 IBANs, and customer notes about, among other things, guardians and ex-partners) of hundreds of thousands of consumers and companies. Although the hackers threatened to leak 1 million of the 21 million claimed lines daily, they halted this blackmail on March 1 by releasing the entire dataset at once. The data is now definitively public property of the criminal circuit.

Figure 9: The 'Final Warning' on the dark web site of ShinyHunters. The hackers threaten to publish the data of what they claim to be "~21M Records". Source: screenshot of the dark web site of the ShinyHunters platform.

On their dark web platform, the hackers posted a "Final Warning" on February 24 to force Odido back to the negotiating table: "This is a final warning to come back to our chat and finish what we set out to do before we leak along with several annoying (digital) problems that will come your way..."

Is the number of 6.2 million accounts correct? This has been questioned several times. While Odido officially spoke of 6.2 million accounts, ShinyHunters claimed via RTL News that they had data from 8 million users. They later even claimed to possess data from more than 10 million (former) customers. The publication of the complete dataset finally clarified the actual numbers: analysis of the data shows that it concerns approximately 6.5 million unique individuals and 600,000 business accounts. This results in the number of victims being slightly higher than the 6.2 million that Odido initially reported, but significantly lower than the 10 million that the hackers claimed.

Who exactly is ShinyHunters? This is not a group of amateurs. ShinyHunters made headlines in 2024 due to the massive data theft at Ticketmaster, where data from hundreds of millions of customers was compromised. Previously, tech giants and luxury brands such as Microsoft, Jaguar, and Louis Vuitton were also targeted. The group is known for its aggressive extortion methods: they often publish samples of the data to increase pressure. Who is behind the group remains unclear.

Should I call my bank? Not as a standard. Do turn on alerts and be extra sharp on payment and verification requests. Call your bank if you see concrete signals (unknown transactions, strange requests, threatening phone calls).

Should I change my account number or be afraid of collections? Banks emphasize that the leaked data does not provide access to your banking app or online banking, and that the "collection route" is cumbersome for criminals. The biggest risk remains social engineering: you confirming or paying something at the wrong moment. If an unwanted deduction occurs anyway? SEPA collections can usually be reversed up to 8 weeks; for unauthorized deductions, you have 13 months to report this and have it corrected.

Should I replace my SIM card, account number, or ID? Usually not. This incident mainly revolves around social engineering: convincing messages/calls that push you towards a payment, login, or code. A new account number or SIM card is rarely the first step. Focus on: bank alerts, the call-back rule, and never sharing codes. Only in the case of concrete signals (unauthorized transactions/collections, visible account changes, or repeated abuse) is escalation logical: call your bank/provider via official channels.

What is the biggest risk for consumers? Not "directly hacking your account", but phishing/fraud that becomes much more convincing due to this data mix.

Ben/Simpel: do I fall under this? Ben is mentioned in reports as part of the affected set. For Simpel customers, it does not seem to be the affected group for now, although details in an incident of this scale can still shift. According to NU.nl, Odido customers (including Ben and Simpel) are being informed. Regardless of this brand delineation, the aftermath (phishing/OTP attempts) may spread wider than the officially confirmed set. The advice remains unchanged: never click on links, check data only via the official app or site, and apply the call-back rule in case of suspicious calls.

Update March 1 (The Simpel paradox): although both Odido and Simpel continue to insist on their official channels that Simpel customers have not been affected, that statement does not hold true for all cases according to affected individuals in the community . Customers who ended up with the company around the T-mobile acquisition (now Odido) in 2020 report that they are indeed receiving official notifications from Have I Been Pwned that their data appears in the Odido leak. Whether this is due to Odido's excessively long retention period or how subsidiaries have stored their sets is unclear. The warning now applies to the entire portfolio: be alert, even with a subsidiary brand.

I suddenly receive verification codes (Ben/Simpel/Odido), am I hacked? Usually, this means that someone is trying to log in or link an account – not that they are already "inside". Never share the code. Log in yourself via the official app/site, check if your email/data is correct, and contact the provider if it happens repeatedly.

Do I have the right to compensation? A data breach does not automatically grant the right to compensation. While Odido offers apologies and provides 2 years of security software F-Secure, there is no collective financial arrangement from the provider itself. An individual compensation from Odido typically requires proof of actual, incurred damage. Therefore, an external mass claim against the provider has now been initiated.

How do I sign up for the mass claim against Odido? Affected individuals can join the official mass claim of interest group and privacy foundation Consumers United in Court (CUIC) via their website. Be careful of fake claim assistance: websites or emails that promise quick money are often follow-up phishing. Always check yourself whether you are on the official CUIC site and never fill in private data on unknown claim sites.

For the most current status, also check the official safety page of Odido regarding this incident.

Closing remarks on the Odido hack

If you have to remember one sentence: this is a social engineering accelerant. The damage lies not only in what has been taken, but in how credible criminals can sound with it – especially since there are no "hard" signals like leaked passwords that immediately alarm everyone.

Figure 10: Do not be misinformed. A clear example of a phishing attempt that taps into the news. The message is simple: never click on the link, but go to the official website or app yourself.

In the aftermath of this leak, the most likely threat is a wave of convincing messages and calls. And the best defense is boring but effective: do not click, go to the official environment yourself, and apply the call-back rule.

The threat of online crime is ultimately greater than many think; research from 2024 shows that online crime affects 2.4 million Dutch people annually, with young people and online shoppers facing a significant risk – and that research shows how large-scale this hack at Odido has been compared to what is normal in a year.