Odido 6.2 Million Dutch Customers Breached by ShinyHunters

• .What: ShinyHunters social-engineered Odido customer service employees via phishing and vishing to access the Salesforce CRM backend, then used automated scripts to scrape 6.2 million customer records over 48 hours.
• .Who: 6.5 million individuals and 600,000 companies - nearly the entire Odido subscriber base (6.9 million). Includes four sitting Dutch government ministers, three state-protected individuals, members of parliament, and at least one intelligence service employee.
• .How: Multi-stage social engineering - credential phishing of customer service agents (possibly offshore), followed by vishing impersonating IT staff to bypass MFA push notification approval, granting access to Salesforce CRM.
• .Data: Full names, addresses, mobile numbers, email addresses, IBANs, dates of birth, passport numbers, driver's license numbers, BSN (Dutch citizen service numbers), residence permits, customer service notes containing domestic violence records, stalking incidents, debt details, and fraud histories.
• .Actor: ShinyHunters (Google: UNC6040/UNC6240/UNC6395), operating within the Scattered LAPSUS$ Hunters (SLH) collective. Part of a broader 2025-2026 Salesforce vishing campaign targeting 15+ organizations.
• .Impact: Full dataset published on dark web; identity fraud doubled across Netherlands; criminal investigation by Public Prosecution Service; two rounds of Kamervragen (parliamentary questions); national security exposure of protected individuals; GDPR fine exposure up to EUR 92.4 million.

Odido Netherlands Holding B.V. is the largest mobile operator in the Netherlands by consumed minutes (40-45% market share), with 6.9 million subscribers and EUR 2.31 billion in 2024 revenue.

The company was acquired by Warburg Pincus and Apax Partners for EUR 5.1 billion in September 2021 from Deutsche Telekom. CEO Soren Abildgaard leads 2,033 employees.

On Saturday, February 7, 2026, ShinyHunters launched a multi-stage social engineering attack against Odido customer service employees. The attackers first sent targeted phishing emails to harvest Salesforce CRM login credentials - reportedly including offshore call center staff.

Once passwords were obtained, the attackers called the same compromised employees by phone, impersonated Odido's IT department, and manipulated them into approving secondary MFA login requests. This bypassed multi-factor authentication.

With authenticated access to the Salesforce customer contact environment, ShinyHunters deployed automated scraping scripts. The operation ran undetected for approximately 48 hours across the weekend.

Odido detected the unauthorized access and disclosed it on February 12, notifying the Autoriteit Persoonsgegevens (Dutch DPA).

On February 17, reports emerged that former customers who terminated contracts 5-10 years prior were receiving breach notifications - revealing that Odido retained data well beyond its stated two-year retention policy.

On February 24, ShinyHunters posted a EUR 1 million ransom demand, claiming 21 million records. The demand was later reduced to EUR 500,000. Odido, backed by Dutch police, refused.

On February 26, NOS revealed that stolen data included customer service notes containing domestic violence records, stalking incidents, guardianship status, and debt arrangements. ShinyHunters published the first batch of 680,000 records that day. Daily dumps followed.

On March 1, the full remaining dataset was published: 6.5 million individuals and approximately 600,000 companies, including more than 5 million unique identity documents.

On March 5, RTL Nieuws reported the dataset contained personal data of four sitting government ministers, three individuals under state protection, multiple state secretaries, members of parliament, and at least one senior intelligence service employee.

This transformed the incident from a corporate breach into a state security matter.

Critical context: Salesforce published a security advisory on January 30, 2026 - eight days before the breach - warning about this exact social engineering campaign targeting its customers, specifically mentioning vishing and credential theft.

The CRM supplier had previously warned Odido about this attack vector.

ShinyHunters is tracked by Google Threat Intelligence as UNC6040, UNC6240, and UNC6395. In August 2025, the group merged with Scattered Spider and LAPSUS$ to form the Scattered LAPSUS$ Hunters (SLH) collective.

The Odido breach is part of a coordinated campaign targeting Salesforce CRM environments via social engineering - the same methodology was used against Figure, Panera Bread, Match Group (Tinder/Hinge/OkCupid), Crunchbase, SoundCloud, Canada Goose, Qantas, Allianz Life, and LVMH. In January-February 2026 alone, ShinyHunters hit 15+ companies.

Key arrests include Sebastien Raoult (3 years, $5M restitution, January 2024), Matthew D. Lane (PowerSchool, June 2025), and four French affiliates (June 2025). Core leadership remains operational. The group previously operated BreachForums from June 2023 to May 2024.

The confirmed dataset includes: full legal names, home addresses, dates of birth, mobile phone numbers, and email addresses. IBAN bank account numbers enabling SEPA direct debit fraud. Passport numbers and validity dates. Driver's license numbers and validity dates.

BSN (Burgerservicenummer) - the Dutch citizen service number, equivalent to an SSN, used for tax, healthcare, government services, and banking. Residence permits including diplomat credentials. Customer account numbers, subscription plan details, and contract details.

Customer service interaction notes containing: payment disputes, personal guardianship status, internal fraud warnings, employment issues, debt arrangements, scam victimization records, domestic violence documentation, and stalking incident records.

These notes enable devastatingly accurate spear-phishing because attackers can reference real life events and private circumstances.

NOT compromised: passwords, identity document scans (physical images), call/SMS records, location data, billing information, or invoice details.

Final published dataset: 6.5 million individuals + ~600,000 companies + 5 million+ unique identity documents. Have I Been Pwned indexed 6.1 million unique email addresses.

1. Phishing-Susceptible Workforce. Customer service employees fell for targeted phishing emails that harvested Salesforce CRM credentials. No email security controls prevented the payload from reaching targets.

2. MFA Bypass via Social Engineering. MFA was push notification-based, not phishing-resistant FIDO2/WebAuthn. Employees approved fraudulent MFA prompts when attackers impersonated IT staff by phone. This was the single point of failure.

3. Ignored Vendor Warning. Salesforce published a security advisory on January 30, 2026 warning about this exact campaign. The CRM supplier had previously warned Odido. Odido did not implement additional controls.

4. Overly Broad CRM Access. A single account had visibility into millions of customer records. Forrester described this as "a blast radius baked into the design." No data retrieval limits, conditional access, or just-in-time controls.

5. No Automated Scraping Detection. 48 hours of automated data extraction went undetected. No rate limiting, query volume monitoring, or behavioral analytics on the Salesforce instance.

6. Data Retention Violation. Records retained 5-10 years beyond contract termination - violating Odido's own 2-year retention policy and GDPR Article 5(1)(e). Former customers were exposed because Odido never purged their data.

7. Sensitive Data in Uncontrolled Notes. Domestic violence, stalking, debt, and guardianship records in free-text CRM fields with the same access controls as general contact data.

8. CRM Treated as Commodity Application. A system containing 6.9 million customers' IBANs, passport numbers, and BSNs received light-touch governance instead of tier-one critical infrastructure designation.

• .GDPR Article 5(1)(f) - Integrity and confidentiality. A single social engineering attack yielding the entire CRM database. Fine exposure: up to 4% of EUR 2.31B = EUR 92.4 million.

• .GDPR Article 5(1)(e) - Storage limitation. Data retained 5-10 years beyond contract termination, violating Odido's own 2-year policy. The AP confirmed it is investigating this violation.

• .GDPR Article 5(1)(c) - Data minimization. Domestic violence and stalking records in uncontrolled free-text fields without purpose limitation.

• .GDPR Article 25 - Data protection by design and default. CRM architecture allowed a single compromised account to access the entire customer database.

• .GDPR Article 32 - Security of processing. MFA vulnerable to social engineering. No scraping detection. Vendor warnings not acted upon.

• .GDPR Article 33 - 72-hour notification. Odido notified the AP on February 12, within the window. Obligation met.

• .GDPR Article 34 - Communication to data subjects. Individual notification provided, though some state-protected individuals received only generic notifications.

• .Dutch Telecommunications Act Article 11.3a - Telecom-specific breach notification. RDI enforcement authority. Odido was already fined EUR 175,000 by RDI in 2024 for illegally processing traffic data of 2.5M-4.5M subscribers.

• .AP Enforcement Precedent - EUR 290 million fine imposed on Uber in July 2024 (highest in Dutch GDPR history), demonstrating willingness for significant penalties.

• .Criminal Investigation - Public Prosecution Service (Openbaar Ministerie) launched investigation February 25, 2026.

• .NIS2 Directive - Odido will be classified as an essential entity under the Netherlands' Cybersecurity Act (NIS2 transposition, expected Q2 2026), with mandatory 24-hour incident reporting and duty of care requirements.

1. Phishing-Resistant MFA (FIDO2/WebAuthn Hardware Keys). Push notification MFA is not phishing-resistant. FIDO2 keys cannot be socially engineered over the phone. Salesforce supports WebAuthn natively. This single control would have prevented the breach entirely.

2. CRM Access Architecture Redesign. No single account should access 6.9 million records.

Implement role-based access with data retrieval limits (max 50 records/session), conditional access restricting CRM to managed devices on corporate networks, and just-in-time elevation for bulk operations.

3. Salesforce Event Monitoring and Anomaly Detection. Enable Salesforce Shield Event Monitoring to detect mass queries and bulk exports. Rate-limit data retrieval. The 48-hour scraping operation would have been detected within minutes.

4. Vendor Advisory Response Protocol. When Salesforce warns about the exact attack vector 8 days before the breach, the response must include immediate access restrictions, heightened monitoring, mandatory re-authentication, and threat briefing.

5. Data Retention Enforcement and Automated Purging. Implement automated lifecycle management per the stated 2-year retention policy. Data retained beyond legal basis is both a GDPR violation and an expanded blast radius.

6. CRM Data Classification and DLP. Classify notes fields as potentially containing special category data. Implement DLP rules to flag or prevent entry of domestic violence, medical, and financial distress information into free-text fields.

BleepingComputer, The Record, Cybernews, NL Times, DutchNews.nl, RTL Nieuws, NOS, The Register, TechCrunch, TechZine, Hackread, CyberInsider, UpGuard, Forrester, Salesforce Ben, Privacy Insight Solutions, Have I Been Pwned, Odido Official Incident Page, Filip Danic, eSecurity Planet, Infosecurity Magazine, Security Affairs, OSINT Team, Autoriteit Persoonsgegevens, Obsidian Security, Google Threat Intelligence