Hackers publish Odido customer data after telecom refuses ransom demand

Hackers claiming to be the ShinyHunters collective began publishing customer records from Dutch telecom Odido after the company refused to pay an extortion demand, exposing personal details and prompting a national police investigation.

Odido confirmed on Feb. 12 that data from 6.2 million customer accounts had been exposed after attackers accessed a customer relationship and contact management system that includes the BEN brand. The company said it would not negotiate with the criminals, adding, "On the advice of advisors and government agencies, we have decided not to negotiate with this group. We are now focusing on customer security."

The scale and exact contents of the theft remain disputed. ShinyHunters and one security tracker claim the group accessed as many as 8 million customers and 21 million lines of data. The criminals threatened to publish "one million lines of data per day" unless Odido paid a ransom, and some posts on underground forums and social media claimed roughly 680,000 records had already been released after an ultimatum expired.

Odido has described the stolen files as containing basic contact information such as full names, addresses, places of residence and mobile phone numbers, and said no passwords, call logs or billing information were compromised. Other investigators and sources have reported a broader set of fields in the stolen files, including email addresses, dates of birth, bank account numbers and passport or identity-document numbers. Independent reporting and security analysts additionally say internal customer notes were taken from the contact system, entries that can record payment arrangements, guardianship or administrator status, flags about missed payments, and warnings that an ex-partner might attempt impersonation.

Those customer notes, if present, raise particular alarm because they allow attackers to mount highly targeted social-engineering and "spear-phishing" campaigns by exploiting known vulnerabilities recorded by the company. Odido has said it was unaware that this additional, more sensitive information had been compromised, a claim that outside investigators are seeking to verify.

The ransom figure behind the extortion is also unclear. One security outlet cited the attackers demanding "over €1 million," while other sources characterized the amount as undisclosed. Odido has publicly declined to pay after consulting cybersecurity advisers and government agencies, a stance endorsed by national police, who are investigating the intrusion. Stan Duijf of the national police said, "Our advice to victims of ransomware is not to pay," warning that payment funds future attacks and offers no guarantee that data will be deleted.

The incident has been described by investigators as among the largest cyber intrusions in the Netherlands in recent years. Odido said it is focusing on customer security as it works with police and external cybersecurity specialists to contain the breach and assess the full scope of exposed information. Investigators are continuing to examine what systems were accessed and how extensive the published material is, and warned customers to remain vigilant for phishing and identity-fraud attempts while authorities try to corroborate the varying figures and claims circulating online.