Back to Blog

Odido Data Breach: ShinyHunters Claim 21 Million Records with Passports, IBANs, and Passwords

February 24, 2026 13 min read Security, Data Breach, Privacy

Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.

One of the Netherlands' largest mobile providers just suffered one of the worst data breaches in Dutch history. And instead of a wake-up call, the country hit the snooze button.

Odido, formerly T-Mobile Netherlands, has confirmed that hackers accessed data from 6.2 million accounts. The hacking group ShinyHunters, which claimed responsibility, says the real number is 21 million records, including names, addresses, IBANs, passport numbers, driver's license numbers, and, according to their claim, service passwords stored in plaintext.

Cybersecurity expert Jim Stolze, writing in De Telegraaf, put it bluntly: "Criminals have hit the jackpot and can run off with our identities. Despite this wake-up call, we hit 'snooze' and sleep a little longer."

Critical: The stolen data includes passport numbers, driver's license numbers, and IBANs. This is everything a criminal needs to pass identity verification at banks, government agencies, and other institutions. If you are or were an Odido, T-Mobile NL, or Ben customer, take immediate action. Simpel customers are not affected.

Timeline: How the Breach Unfolded

Date What Happened
Feb 7-8, 2026 First signals reach Odido that something is wrong. Investigation begins immediately
Feb ~10, 2026 Odido confirms the breach internally, notifies the Autoriteit Persoonsgegevens (AP)
Feb ~12, 2026 Odido begins sending personal notification emails to affected customers from info@mail.odido.nl
Feb 17, 2026 Financieel Dagblad reveals Odido retained data far longer than its 2-year policy. Customers from 5-10+ years ago received notifications
Feb ~20, 2026 ShinyHunters publicly claims the attack, demands a seven-figure ransom, threatens to publish data on the dark web
Feb 23, 2026 Odido offers all customers 2 years of free F-Secure Total (without VPN). Normally worth 100 EUR/year
Feb 24, 2026 Cybersecurity expert Jim Stolze criticizes Dutch complacency in De Telegraaf column

ShinyHunters: A Repeat Offender

This is not some unknown hacking group. ShinyHunters is one of the most prolific cybercrime operations in the world, responsible for some of the largest breaches in recent history:

Target Year Records
Ticketmaster 2024 560 million
AT&T 2024 73 million
Santander Bank 2024 30 million
T-Mobile US 2021 77 million
PornHub Recent 1.5 million (NL)
Odido (T-Mobile NL) 2026 21 million (claimed)

The fact that ShinyHunters previously breached T-Mobile US in 2021 makes this even worse. The same group, targeting the same telecom brand, five years later. RTL Nieuws independently verified that ShinyHunters is indeed behind the Odido breach.

ShinyHunters posted their claim on dark web forums, listing Odido NL & Ben.nl as victims:

ShinyHunters dark web listing showing Odido NL and Ben.nl as breach victims, mentioning stolen passport numbers, driver's license numbers, IBANs, and other data

ShinyHunters' dark web posting claiming the Odido and Ben.nl breach

How the Hack Happened: Social Engineering 2FA

According to Tweakers, the hackers gained access by social engineering two-factor authentication codes from Odido employees. This means they didn't brute-force their way through some firewall or exploit a zero-day vulnerability. They tricked real people into handing over their 2FA codes, which gave them access to Odido's customer contact system.

Once inside, they downloaded the customer data in what Odido describes as a "cunning and unauthorized" manner. The breach affected Odido's klantcontactsysteem (customer contact system), not the main network infrastructure. This is an important distinction: Odido says their network, call services, and internet services were never disrupted.

Why social engineering still works: You can have the best firewall and encryption in the world. If an attacker can convince an employee to share their 2FA code through a convincing phone call or message, none of that matters. Human beings remain the weakest link in any security chain.

What Was Stolen: Two Very Different Stories

Here's where it gets complicated. Odido and ShinyHunters tell very different stories about what was stolen. And the gap between them is alarming.

What Odido Confirms Was Stolen

  • Full names
  • Addresses and cities
  • Phone numbers
  • Email addresses
  • Customer numbers
  • Dates of birth
  • IBAN numbers
  • Passport or driver's license numbers (including validity dates)

What Odido Says Was NOT Stolen

  • Account passwords (Mijn Odido)
  • Call records (who you called, when)
  • Location data
  • Billing information
  • Scans of identity documents

What ShinyHunters Claims (Additional)

  • Passwords in plaintext - According to Tweakers, these are reportedly the service passwords that customers agree upon for phone verification when making changes to their subscription. Not account passwords, but verification codes used when calling customer service

This is a critical discrepancy. Odido says "no passwords were involved." ShinyHunters says they have plaintext passwords. RTL Nieuws says it has seen evidence supporting ShinyHunters' claims. If the service verification passwords are indeed in the dataset, that's another vector for social engineering: criminals can call Odido pretending to be you and pass the phone verification check.

Even without passwords, this is devastating: Forget about the password dispute. The data Odido confirms was stolen, including passport numbers, IBANs, and dates of birth, is already a complete identity theft toolkit. That's what makes this breach so dangerous.

How Odido Is Downplaying the Breach

Read Odido's official breach page carefully, and you'll notice a masterclass in corporate damage control.

The Numbers Game: 6.2 Million vs 21 Million

Odido says 6.2 million accounts. ShinyHunters says 21 million records. The gap is enormous. One account can have multiple associated records, which may partially explain the difference. But Odido never addresses ShinyHunters' figure at all. They simply ignore it.

The Reassuring Language

Odido's breach page is filled with soothing language designed to minimize concern:

  • "Our operational services were not affected; customers can safely continue to call, use internet, and watch TV." - True, but completely irrelevant to the identity theft risk
  • "Not every data leak leads to actual misuse." - Technically true, but irresponsible when passport numbers and IBANs are involved
  • "No one can view your mobile location data or private contacts." - Again true, but misdirection from the real danger
  • "Change your passwords if you feel comfortable doing so, although this is not necessary since no passwords were leaked." - Contradicts ShinyHunters' verified claims

Notice the pattern? Every reassurance focuses on what wasn't stolen, while glossing over the catastrophic implications of what was.

Data Retention: The Elephant in the Room

This might be the most damaging revelation of all. Odido's own privacy policy states a 2-year retention period after a customer leaves. Yet according to the Financieel Dagblad and NOS, customers who switched away 5 to 10 years ago received breach notification emails.

When confronted, Odido's response was telling: they said they "need more time to investigate why customer data was retained longer than two years." They don't deny it. They just don't know why.

Odido's FAQ offers a partial explanation: the 2-year clock starts only "after all mutual obligations have been settled," meaning unpaid bills or open service requests could extend the period. But passport numbers from 2015? IBANs from customers who left during the T-Mobile era? That excuse doesn't stretch that far.

GDPR violation: Under the AVG (Dutch GDPR implementation), companies must delete personal data when it is no longer necessary. Retaining passport numbers and IBANs for 5-10+ years after a customer relationship ended is a clear violation of the data minimization and storage limitation principles (Articles 5(1)(c) and 5(1)(e)). This deserves its own investigation by the Autoriteit Persoonsgegevens, separate from the breach itself.

The F-Secure Package: A Band-Aid on a Bullet Wound

Odido's compensation? Two years of free F-Secure Total, a security package normally worth 100 EUR per year. The package includes:

  • Antivirus software
  • Automatic website and SMS link scanning
  • Phishing detection
  • Password manager
  • Data leak notifications
  • No VPN - Odido explicitly states the VPN feature is excluded, even though F-Secure Total normally includes one

The package works on up to 5 devices (Windows, macOS, Android, iOS). To activate it, Odido mobile customers text "VOUCHER" to 1935. Customers without a mobile number (internet or TV only) can call 0614094035.

But here's the problem: antivirus software cannot protect you from identity fraud. The real threats from this breach are criminals using your passport number to impersonate you at a bank, or using your IBAN and personal details for targeted phishing attacks. No software on your device can prevent that.

The Real-World Danger: Identity Fraud at Scale

Cybersecurity expert Jim Stolze described the stolen data as a "gold mine for phishing attacks" and a "jackpot" for criminals. Here's why.

Think about what happens when you call your bank, an insurance company, or a government agency. They verify your identity by asking:

  1. What is your full name?
  2. What is your date of birth?
  3. What is your address?
  4. What are the last digits of your IBAN?
  5. What is your passport or ID number?

Criminals now have all of these answers for millions of Dutch citizens.

As Stolze pointed out in De Telegraaf: "What are the verification questions an official institution asks when you call to change something? Can I have your place of birth for confirmation? What are the last four digits of your bank account? Et cetera." This data gives criminals the missing puzzle pieces for the perfect phishing attack and the perfect impersonation.

In a world where bank branches are closing at record speed and everything moves to phone and online verification, this stolen dataset is a master key. A criminal can:

  • Open new bank accounts in your name
  • Take out loans using your identity
  • Redirect your mail to a different address
  • File false tax returns to steal refunds
  • Create fake identity documents using your real numbers
  • Port your phone number to intercept SMS-based two-factor codes
  • Craft targeted phishing that includes your real personal details, making it nearly indistinguishable from legitimate communications

And because physical bank branches are disappearing across the Netherlands, you often can't even walk in and prove in person that someone is committing fraud in your name. You're stuck in a phone queue, explaining to a call center that the person who called earlier wasn't actually you.

Why this breach is different: Most breaches expose email addresses, maybe passwords. This breach exposed government-issued ID numbers that cannot be changed. You can get a new password in 30 seconds. Getting a new passport takes weeks and costs money, and the old number remains in databases for years. According to datalekt.nl, over 900 data breaches have been reported in the Netherlands in the past decade, but few have included identity document numbers at this scale.

The "Snooze Button" Problem

What struck Jim Stolze most was not the breach itself, but the reaction. Or rather, the lack of reaction.

After the initial alarming headlines... nothing. People moved on. Some demanded a few tens of euros in compensation. Life continued as normal. As Stolze wrote: "As if such an attack is just part of the times we live in."

He had hoped this breach would be a national wake-up call. The moment you visit your parents and help them set up a new password. The moment you finally enable two-factor authentication on your personal accounts, not just your work email.

"But instead of a wake-up call, it seems to have become a snooze moment. We postpone the conversation and the actions until next time. Wrong!"

Stolze argues for resilience over resignation: take ownership of your online security, take control of your privacy. Don't wait for Safer Internet Day (which was, ironically, February 10th). Don't wait for "Change Your Password Day" (November 24th). Do something today.

What You Should Do Right Now

If you are or have ever been a customer of Odido, T-Mobile Netherlands, or Ben, you should assume your data may have been compromised. Don't wait for a notification email. Take action now.

Immediate Steps (Do Today)

  1. Contact your bank. Inform them that your IBAN has been compromised in the Odido breach. Ask about additional security measures. Some banks can add extra verification steps or flag your account for enhanced monitoring
  2. Enable two-factor authentication (2FA) on every account that supports it. Use an authenticator app (like Authy, Google Authenticator, or Microsoft Authenticator), NOT SMS, since your phone number is also compromised
  3. Change passwords on any accounts where you used the same password. Use a password manager like Bitwarden or 1Password to generate unique passwords
  4. Check your accounts at mijn.odido.nl for any unauthorized changes
  5. Monitor BKR (Bureau Krediet Registratie) for unauthorized credit applications. Request a free report at bkr.nl

Long-Term Protection

  1. Watch out for targeted phishing. Criminals now have your real name, address, date of birth, and IBAN. They can craft highly convincing phishing emails and calls pretending to be your bank, the Belastingdienst, or other authorities. When in doubt, hang up and call the organization back on their official number
  2. Monitor your bank account closely. Check for small "test" transactions that criminals use before attempting larger fraud
  3. File a complaint with the Autoriteit Persoonsgegevens. The more complaints they receive, the more likely a formal investigation, especially regarding the data retention violations
  4. Consider reporting to the police if you notice suspicious activity. A police report helps with dispute resolution at banks and credit agencies
  5. Consider requesting a new passport if yours was in the breach. Your passport number combined with your other personal details is a powerful tool for identity fraud
  6. Activate the F-Secure package - it's not enough on its own, but the phishing link detection and data leak notifications are useful additions to the manual steps above

Privacy tip: A VPN won't undo a data breach, but it protects your ongoing internet activity from ISP tracking and network surveillance. It's ironic that Odido's F-Secure package excludes the VPN feature. Check your current exposure at myip.foo, test for DNS leaks and WebRTC leaks, and consider a VPN like NordVPN to encrypt your connection.

The Bigger Question: Accountability

Several aspects of this breach demand answers from Odido and scrutiny from regulators:

  • Social engineering 2FA: How were hackers able to trick employees into sharing 2FA codes? What training and protocols were in place? Was there no anomaly detection on the customer contact system?
  • Data retention violations: Why does Odido still hold passport numbers and IBANs of customers who left 5-10+ years ago? Their own policy says 2 years. Saying "we need more time to investigate" is not an acceptable answer for a GDPR-regulated company
  • The password dispute: If ShinyHunters' claim about plaintext service passwords is true (and RTL Nieuws says it has seen evidence), why is Odido categorically denying it? Transparency matters
  • Ben.nl customers: Ben is Odido's budget brand and was also affected. Were Ben customers aware their data was stored in the same system as Odido's?
  • Why passport and driver's license numbers? A mobile phone subscription requires identity verification at signup. But why are the actual document numbers stored indefinitely? Verification and retention are two different things
  • GDPR fines: Under GDPR, the maximum fine is 4% of annual global turnover or 20 million euros, whichever is higher. The data retention violations alone warrant serious regulatory action

For comparison: the French ISP Free was fined 42 million euros for a breach that exposed 5 million IBANs, without the added severity of passport numbers or decade-long data retention violations. Odido's potential liability should be significantly higher.

Common Questions

What happened in the Odido data breach?

On the weekend of February 7-8, 2026, hackers breached Odido's customer contact system by social engineering 2FA codes from employees. They downloaded data from 6.2 million accounts. The hacking group ShinyHunters claimed responsibility, saying they have 21 million records. They demanded a seven-figure ransom and threatened to publish the data on the dark web. RTL Nieuws verified ShinyHunters' involvement.

How many people are affected?

Odido confirms 6.2 million accounts. ShinyHunters claims 21 million records. Former T-Mobile NL and Ben customers who left 5-10+ years ago also received breach notifications, despite Odido's 2-year retention policy. Simpel customers are not affected. The data that was stolen varies per customer: Odido sent 4 different email variants depending on whether name/address only, plus IBAN, plus ID numbers, or all three categories were exposed.

What data was stolen?

Odido confirms: names, addresses, phone numbers, email addresses, customer numbers, dates of birth, IBANs, and passport or driver's license numbers with validity dates. Odido says account passwords, call records, location data, and billing information were NOT stolen. ShinyHunters separately claims the data includes plaintext service passwords used for phone verification.

I'm a former T-Mobile NL customer. Am I affected?

Possibly. Multiple reports confirm that people who left T-Mobile (now Odido) 5-10+ years ago received breach notifications. Check your email (including spam) for messages from info@mail.odido.nl. If you haven't received one, Odido says you can assume you're not affected, though given the data retention issues, extra vigilance is warranted.

Is the F-Secure package Odido is offering enough?

No. F-Secure Total provides antivirus, phishing detection, a password manager, and data leak notifications, which are useful tools. But it cannot protect you from identity fraud using your stolen passport number or IBAN. Notably, the VPN feature is excluded from the package. The real threats from this breach are social engineering and identity fraud. You must also take the manual steps: alert your bank, enable 2FA, monitor BKR, and stay vigilant for targeted phishing.

Conclusion

The Odido breach is not just a data breach. It's a multi-layered failure: in security (social engineering of 2FA), in compliance (retaining data for years beyond the stated policy), in transparency (disputed password claims, 6.2M vs 21M), and in response (F-Secure without VPN as compensation for stolen passport numbers).

But as Jim Stolze warns, the biggest failure might be ours. This breach should have been a wake-up call for the entire Netherlands. Instead, most people shrugged and moved on.

Key takeaways:

  • ShinyHunters claims 21 million records; Odido confirms 6.2 million accounts affected
  • Hackers got in by social engineering 2FA codes from Odido employees
  • Confirmed stolen: names, addresses, dates of birth, IBANs, passport/driver's license numbers
  • Disputed: ShinyHunters claims plaintext service passwords; Odido denies any passwords were stolen
  • Ex-customers from 5-10+ years ago affected despite Odido's 2-year data retention policy
  • Odido and Ben affected; Simpel customers are not
  • F-Secure package excludes VPN and cannot prevent identity fraud
  • Criminals now have everything needed to pass identity verification at banks and government agencies
  • ShinyHunters previously breached T-Mobile US (2021) and PornHub (1.5M Dutch users)

Don't hit snooze. Do something today. Change your passwords, enable 2FA, alert your bank, and help the people around you do the same. The next breach is not a question of if, but when.

Take control of what you can: You can't prevent a company from keeping your passport number in a database for a decade. But you can minimize your ongoing exposure.

  1. Check your IP and connection at myip.foo
  2. Test for DNS leaks that expose your browsing
  3. Test for WebRTC leaks that bypass VPN protection
  4. Use a VPN like NordVPN to encrypt your connection

Sources

Related Articles