Dutch Police Say Local Hackers Helped Pull Off the Odido Breach That Exposed 6.2 Million Customers

A phone call to customer service, a fake IT worker, and a phishing page: how criminals allegedly walked out with data on nearly every Odido subscriber.

ThreatVectr Newsdesk· 4 min read
Photoreal editorial image, full frame 16:9, of a dimly lit call centre workstation at night: a headset resting on a keyboard, a blurred screen showing an abstra
Share

Key points

  • The Dutch National Police said on Thursday it has strong indications that Dutch nationals helped carry out the February breach at telecoms provider Odido.
  • Odido disclosed on 12 February that attackers reached its customer contact system on 7 February and stole personal data on 6.2 million customers.
  • Investigators traced a phone call in which a Dutch-speaking man posed as an Odido IT employee shortly before the break-in.
  • The extortion crew ShinyHunters claimed the attack and posted an 88GB archive with more than 15 million records on its dark web leak site.
  • Exposed fields may include names, addresses, phone numbers, email addresses, IBAN bank numbers, dates of birth and some ID document numbers.

Odido is one of the largest phone and internet companies in the Netherlands. In February, someone walked out with the personal details of most of its customers. This week, Dutch police said they think they know part of the answer to how: at least some of the people behind the attack were Dutch themselves.

The method was almost embarrassingly old-school. Someone rang Odido's customer service line. He spoke Dutch. He said he worked in the company's IT department. That call, police say, was the opening move.

What came next was phishing, where criminals send fake messages or set up fake login pages to trick staff into typing in their passwords. Once a real Odido employee handed over credentials, the attackers walked into the customer contact system and started downloading.

"This type of investigation is often complex and takes time, but cybercriminals are also vulnerable and leave traces," said Stan Duijf, head of operations at the National Investigation and Interventions Unit. Investigators have been picking up those traces for months.

What data was actually taken?

Odido says the stolen file varies from person to person, but it can include full name, home address, mobile number, customer number, email address, IBAN (the bank account number used across Europe), date of birth, and some identity document numbers such as passport or driving licence, along with their expiry dates.

The company says some sensitive things were not taken. Call records, location data, billing details, scans of ID documents and passwords for the Mijn Odido customer portal were not in the stolen set.

That still leaves plenty for fraud. A name, address, date of birth and IBAN is a starter kit for impersonation and for the kind of scam calls and texts that follow every big telecoms breach.

Should Odido customers be worried?

Yes, but the useful response is boring, not panicked. Assume your details are floating around. Treat any call, text or email that claims to come from Odido, your bank or the tax office with suspicion, especially if it pushes you to click a link or read out a code.

Banks in the Netherlands will not ask you to move money to a "safe account." Odido will not ask for your password. If in doubt, hang up and call back on a number you find yourself.

Who are ShinyHunters?

Odido has not officially named the culprits. But the extortion group ShinyHunters posted the company on its dark web leak site, dumping an 88GB archive with over 15 million records, first reported by BleepingComputer.

ShinyHunters is a busy crew. They run vishing campaigns, which is phishing done over the phone, often pretending to be IT support to talk employees into handing over their login and their multi-factor code (the extra code from an app or text message that is meant to keep accounts safe).

Once inside, the group hoovers data out of whatever business apps the victim uses: Microsoft 365, Google Workspace, Salesforce, Slack, and others. They have been linked to intrusions at Google, Cisco, Match Group and the European Commission, among a long list, plus the wave of Snowflake customer breaches last year.

If that pattern holds, the Odido hack was not clever code. It was a good actor with a phone.

© 2026 Threat Vectr