Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers

Dutch police suspect local hackers behind the Odido breach that exposed 6M customers after a phishing attack and seek public help identifying them.

Dutch police have identified strong indications that Dutch nationals were involved in the February 2026 cyberattack on telecom provider Odido, which resulted in data from more than six million customers being stolen and subsequently made public.

Odido is a Dutch telecommunications company and one of the largest mobile network operators in the Netherlands. It was formed when T-Mobile Netherlands and Tele2 were rebranded as Odido in 2023 after private equity firms Apax Partners and Warburg Pincus acquired the business.

Odido serves around 8 million mobile subscribers and about 1 million fixed broadband customers nationwide. The company provides mobile telephony, wireless broadband, and related services under multiple brands including Odido, Ben, and Simpel.

In mid-February, the cybercrime group ShinyHunters broke into the Dutch telecom firm Odido and accessed data from 6.2 million accounts. At the time, the company confirmed the breach and said attackers took names, addresses, phone numbers, email addresses, bank account details, dates of birth, and passport or ID numbers.

“Odido has been hit by a cyberattack, which compromised customer data. This involved personal data from a customer contact system used by Odido. No passwords, call logs, or billing information were affected.” reads a notice published by the company on its website. “The unauthorized access to the system was terminated as quickly as possible. Odido also engaged external cybersecurity experts to assist with implementing additional security measures as part of the incident response.”

The telco said the breach did not expose My Odido account passwords, call records, location data, invoice details, or scans of ID documents.

The High Tech Crime Team (THTC) of the National Investigation and Intervention Unit has been running the investigation under the direction of the National Public Prosecution Service since the breach was discovered. The investigation is ongoing and the police are now asking the public for help.

“In the initial phase of the investigation, the police managed to take offline several servers that the hacker group used to distribute data.” reads the press release published by the Dutch Police.

“This type of investigation is often complex and time-consuming, but cybercriminals are also vulnerable and leave traces behind. At multiple points in the investigation into the hack at Odido, evidence was secured, which the investigation team has continued to work with,” says Stan Duijf. As Head of Operations within the LO, he is responsible for tackling cybercrime.

In the early phase of the investigation, police managed to take offline several servers the hacker group used to distribute the stolen data. That’s a meaningful early win in a case that will likely take months to resolve.

The investigation has surfaced a specific lead.

“In the investigation, the police have found strong indications that Dutch criminals are involved in the Odido hack. This includes a telephone call made to Odido’s customer service shortly before the hack.” continues the press release. “During this call, a Dutch-speaking man posed as an IT employee at Odido. “

During that call, a Dutch-speaking man posed as an IT employee at the company. Odido was then compromised through phishing, after which the data theft took place. Police are asking that person to come forward voluntarily, and have warned that his voice may be made public at a later stage if he doesn’t.

The investigators believe people in the suspect’s circle already know who’s behind the attack.

“The investigation team suspects that the perpetrators have spoken online or within their social circle about their involvement in the Odido hack and is convinced that people have suspicions about who is behind this hack.”

Police acknowledge the Odido breach is being discussed within the cybercrime community, and are counting on someone in that circle deciding the information is worth sharing. Tips can be submitted to 0900-8844 or anonymously through Meld Misdaad Anoniem.

“In the recent period, several companies and institutions have fallen victim to cyberattacks. Data that was sometimes stolen in these attacks is being misused on a large scale by other criminals.” concludes the press release. “The police and the Public Prosecution Service expect that this type of serious cyberattack will occur more frequently in the future and consider it important that companies prioritize their digital security.”

The Dutch police and Public Prosecution Service expect attacks of this type to become more frequent and are using the Odido investigation as an opportunity to push companies to take digital security seriously before the next incident, not after. The Odido investigation is expected to continue for several more months.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Odido)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter