ShinyHunters Claims Odido Breach: 21 Million Records Exposed
The notorious ShinyHunters extortion gang has claimed responsibility for a data breach at Odido, one of the Netherlands' largest telecommunications providers. While Odido initially reported that around 6.2 million customers were affected when it disclosed the breach on February 12, ShinyHunters is now asserting they walked away with nearly 21 million user records — a figure that, if accurate, would make this one of the most significant telecom breaches in Dutch history.
This breach is a sharp reminder that even large, trusted companies with substantial security budgets can be compromised — and that your personal data is only as safe as the weakest system holding it.
What Happened at Odido?
According to Odido's disclosure, attackers gained access to the company's customer contact system on February 7, 2025. From there, they were able to download personal data belonging to a significant portion of the provider's customer base. Odido reported the incident to the Dutch Data Protection Authority and brought in cybersecurity experts to contain the damage and investigate the full scope of the intrusion.
The data potentially exposed in this breach is extensive and deeply personal:
- Full names
- Home addresses
- Mobile phone numbers
- Email addresses
- IBANs (bank account identifiers)
- Dates of birth
- Some identification details
This isn't just contact information — it's the kind of data that enables identity theft, targeted phishing attacks, SIM swapping, and financial fraud. The inclusion of IBANs and identification details in particular raises the stakes considerably.
Who Are ShinyHunters?
ShinyHunters is a well-established cybercriminal group with a long track record of high-profile data theft and extortion. The gang has previously claimed breaches against major companies across multiple sectors and often sells or leaks stolen data when extortion demands aren't met. Their involvement suggests this wasn't an opportunistic attack — it was deliberate, targeted, and carried out with the intent to monetize the stolen data.
The discrepancy between Odido's initially reported 6.2 million affected customers and ShinyHunters' claim of nearly 21 million records is significant. It could reflect different counting methods, duplicate entries, or the possibility that the breach was more extensive than initially understood. Either way, the scale of this incident demands attention.
What This Means For You
If you are or were an Odido customer, you should treat your personal information as potentially compromised and act accordingly:
Watch for phishing attempts. Criminals armed with your name, email, phone number, and address can craft highly convincing scam messages. Be skeptical of any unexpected contact asking you to verify information or click a link — even if it appears to come from Odido or another trusted company.
Monitor your bank accounts. With IBANs potentially in the mix, keep a close eye on any unusual financial activity. Contact your bank if you notice anything suspicious.
Be alert to SIM swapping. If criminals have your mobile number and personal details, they may attempt to port your number to a new SIM to bypass two-factor authentication. If your phone suddenly loses service, contact your carrier immediately.
Consider using a breach monitoring service. Tools that alert you when your email address or personal data appears in known data dumps can give you an early warning and time to respond.
More broadly, this breach illustrates a truth that applies to everyone, not just Odido customers: you have no control over how securely a company stores the data you hand over to use their services. Telecommunications providers, by their nature, hold some of your most sensitive information — and that makes them attractive targets.
A Comprehensive Approach to Privacy
No single tool or habit can make you completely immune to the consequences of a third-party data breach. But layering your defenses dramatically reduces your exposure.
Using a VPN like hide.me when browsing or transacting online limits how much of your activity can be intercepted or tracked, reducing the data footprint you leave behind with services you use. It won't undo a breach that's already happened, but it's a meaningful part of a broader privacy strategy — alongside strong, unique passwords, two-factor authentication, and staying informed about breaches that affect services you use.
The Odido breach is a case study in why personal data protection can't be delegated entirely to the companies you trust with your information. Take ownership of the pieces you can control, and stay vigilant about the rest.