The Odido Data Breach

Over the weekend of February 7–8, 2026, attackers breached the systems of Odido, the Netherlands' second-largest mobile telecommunications provider (formerly T-Mobile Netherlands). By Monday, it was over. On February 12, Odido publicly disclosed that hackers had gained unauthorized access to its customer contact system and stolen the personal data of approximately 6.2 million customers. The breach affected both current and former customers of Odido and its sub-brand Ben — and in terms of scale, it's hard to find a worse personal data exposure in Dutch history.

The attack was carried out by ShinyHunters, a well-known cybercriminal group tracked by Google Threat Intelligence as UNC6040. ShinyHunters has been active since 2020 and has a track record of large-scale data theft operations targeting cloud environments. Google's threat intelligence team later reported that the Odido breach was part of a broader ShinyHunters campaign targeting Salesforce cloud customers across over 400 organizations globally, which they had been tracking since mid-2025.

Here's what stands out: the attackers didn't use sophisticated technical exploits or zero-day vulnerabilities. No clever code. They used social engineering — manipulating people rather than breaking software. The attack unfolded in distinct phases.

ShinyHunters sent carefully crafted phishing emails to several Odido customer service employees. These emails directed employees to fake login portals that closely mimicked Odido's legitimate Single Sign-On (SSO) pages. When employees entered their credentials, the attackers captured them. Phishing is one of the oldest tricks in cybercrime, and it still works. Constantly. The emails were reportedly well-crafted and targeted. This wasn't the generic mass phishing most spam filters catch, but spear phishing tailored to specific individuals within the organization.

This is where it gets interesting. Odido had multi-factor authentication (MFA) in place, which should have stopped the attackers even with stolen passwords. But ShinyHunters bypassed MFA using voice phishing (vishing). They called the compromised employees by phone, impersonating Odido's internal IT helpdesk. The callers asked employees to approve MFA push notifications or share one-time codes, claiming it was part of a system maintenance procedure or security check. According to multiple reports, including analysis from Google Cloud's threat intelligence blog, ShinyHunters used AI-powered voice agents (specifically platforms like Bland AI and Vapi) to conduct these calls. These AI voice systems could dynamically adjust their conversation flow based on the victim's responses. Employees on the receiving end couldn't tell they were talking to a bot. Think about what that means. Traditional vishing requires skilled human operators who can think on their feet and speak the target's language fluently. AI voice platforms removed both of those barriers. Now attackers can run convincing, adaptive phone scams at volume, in any language, around the clock.

Once inside with valid credentials and approved MFA, the attackers escalated privileges within Odido's cloud environment. They moved laterally across the infrastructure and deployed automated scripts to scrape records from Odido's Salesforce-based customer contact system. The attackers also established command-and-control (C2) channels to maintain persistent access, so they could keep pulling data all weekend before anyone noticed.

The stolen dataset included full names, home addresses, email addresses, phone numbers, dates of birth, bank account numbers (IBANs), and identity document details including passport and driver's license numbers. That's a lot of damage. One small relief: passwords, call logs, and billing details were not affected. The breach was limited to the customer contact and identity system rather than billing or authentication infrastructure.

Then it got worse. What started as a corporate data incident turned into a national security problem when analysis of the leaked data revealed it contained records belonging to four Dutch government ministers, at least one senior intelligence service employee, three individuals under active government protection, and more than 16,000 people working in vital or strategic sectors, including employees at ASML, Damen Shipyards, and Philips. This discovery, reported on March 5 by multiple Dutch media outlets, made the whole situation considerably more serious. When stolen telecom data includes the personal details of intelligence personnel and protected individuals, the implications extend far beyond identity fraud.

After the breach, ShinyHunters contacted Odido with a ransom demand of approximately one million euros, later reduced to 500,000 euros. Odido refused to pay, publicly stating it would "not allow itself to be blackmailed," a decision supported by Dutch police and Odido's cybersecurity advisors. When the ransom deadline expired on February 26, ShinyHunters began publishing the data in batches. An initial dump of 680,000 records appeared on the dark web, followed by additional releases over several days. The full cache of stolen data was published on March 1, 2026.

Odido disclosed the breach publicly on February 12 and notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). The company set up a dedicated incident information page and began notifying affected customers. The Dutch Public Prosecution Service launched a criminal investigation on February 25. The Netherlands Inspectorate for Digital Infrastructure opened a separate investigation into whether Odido had adequate security measures in place. The Central Identity Fraud Reporting Point (CMI) reported that fraud inquiries related to Odido data more than doubled in the weeks following the leak, indicating the stolen information was already being exploited for SIM swapping, WhatsApp fraud, and identity theft.

The Odido breach carries direct lessons for any organization that stores customer data.

Odido had multi-factor authentication in place. It wasn't enough. And that should worry you, because most companies treat MFA as the finish line. It's not. MFA can be bypassed through social engineering — we just watched it happen. So what actually holds up? Phishing-resistant MFA methods like hardware security keys (FIDO2/WebAuthn) and passkeys. These are much harder to circumvent than push notifications or SMS codes. Simple test: if your MFA can be approved by a user pressing "yes" on a prompt, it's vulnerable.

The most expensive firewalls and intrusion detection systems in the world don't help when an employee willingly hands over access. We keep learning this lesson, and we keep underinvesting in the fix. Run regular, realistic social engineering training — not just email phishing simulations, but vishing exercises too. And make one rule non-negotiable across the company: IT will never ask anyone to approve an MFA request they didn't initiate or share codes over the phone. Ever. If that policy doesn't exist yet, write it today.

How do you defend against an AI that sounds exactly like your IT department? That's the question this breach forces us to ask. AI-powered voice agents have changed what attackers can do with vishing. Before, you needed a skilled human caller who spoke the right language and could improvise under pressure. Now, an AI handles all of that — in any language, at any hour, at scale. So telling employees to "listen for signs of a scam call" isn't going to cut it anymore when the caller sounds perfectly natural. Your threat model needs to account for this. Verification procedures need to be process-based, not perception-based. For a broader look at how AI capabilities are evolving, see our analysis of the current AI landscape.

Ask yourself: why did Odido's customer contact system contain passport numbers and bank account details for millions of people, including former customers? If that data hadn't been there, this breach would have been a fraction as damaging. Data minimization is simple in concept — only collect and keep the personal data you actually need — but most companies are bad at it. Every piece of personal data you store is a liability. Audit what you hold. Delete what you no longer need. And seriously question whether you need to store sensitive identifiers at all.

The Odido breach specifically targeted their Salesforce-based cloud environment. And here's a misconception we see constantly: companies assume their cloud provider handles security for their data. They don't. Salesforce provides infrastructure security. But access controls, monitoring, data governance — that's on you. That's the shared responsibility model, and too many organizations get the boundary wrong. You need proper access controls, session monitoring, anomalous behavior detection, and data loss prevention (DLP) policies for any cloud-hosted customer data system. Businesses running enterprise Salesforce environments need dedicated security governance for their cloud data.

If you run a business that stores customer data, don't just read this and move on. Actually do something about it. First, audit your MFA. If you're relying on push notifications or SMS, look into whether phishing-resistant alternatives (FIDO2, passkeys) are feasible for your systems. Second, run a social engineering assessment. Have someone test whether your employees would fall for a targeted phishing or vishing attempt. Most companies that haven't done this before are surprised by how many people click — or how many approve that MFA prompt. Third, review your data retention. What personal data are you sitting on? Do you still need it? Is it properly segmented and access-controlled? Fourth, set up monitoring and alerting. You need to know when unusual access patterns occur, especially bulk data access outside business hours or from unexpected locations. If you need help with any of this, that's exactly what we do at Byte Dimensions. Our cybersecurity services include penetration testing, security audits, and security architecture review. We also build scalable web applications with security baked in from the start.