The investigation into the Odido cyberattack has uncovered possible involvement of Dutch nationals, according to Dutch police, as authorities continue to investigate the ShinyHunters ransomware-linked attack that exposed the personal data of approximately 6.39 million customers. Law enforcement has urged the public to come forward with information as investigators work to identify those responsible for one of the country’s largest telecom data breaches.
The cyberattack took place on February 5 and 6 after attackers allegedly used voice phishing (vishing) to deceive Odido’s customer service team.
According to the company, the attackers posed as members of its internal IT staff, gaining unauthorized access before exfiltrating customer data. Odido said its teams detected the unauthorized access immediately on both occasions and revoked the attackers’ access, but the incident still resulted in a large-scale data breach.
Odido Cyberattack Investigation Finds Possible Dutch Link
Under the direction of the National Public Prosecution Service, the High Tech Crime Team (THTC) of the National Investigation and Intervention Unit launched an extensive investigation into the breach.
Authorities said investigators have found strong indications that Dutch criminals may have been involved. One key lead centers on a phone call made shortly before the breach in which a Dutch-speaking man allegedly impersonated an Odido IT employee while speaking with customer service representatives. Police are continuing efforts to identify the caller and have indicated that his voice could be made public if necessary.
Investigators believe people within cybercrime circles may have information about those responsible and are encouraging anyone with relevant details to contact law enforcement.

ShinyHunters Named as Threat Actor
Odido attributed the attack to the cybercriminal group ShinyHunters, which the company said carried out the social engineering campaign.
Chief Executive Officer Søren Abildgaard acknowledged the incident in a public statement, apologizing to customers and outlining the company’s commitment to strengthening its cybersecurity capabilities. He said Odido would continue investing in security, improve data protection practices, expand customer support, and share lessons learned from the incident.
The CEO also explained why the company refused to pay the ransom demand. According to Odido, paying cybercriminals would reward illegal activity and could encourage future attacks against other Dutch organizations. The company said the decision was made following guidance from authorities, despite knowing that stolen data could eventually be published.
Millions of Customers Impacted
Odido confirmed that approximately 6.39 million active and former customers of Odido and its Ben brand were affected by the breach. Customers of Simpel were not impacted.
The exposed information varied by individual and included names, addresses, mobile phone numbers, customer numbers, email addresses, IBAN numbers, dates of birth, identification details, nationality, and gender.
The company clarified that My Odido account passwords, call records, location data, billing information, and scans of identity documents were not compromised.
Odido also addressed reports claiming customer passwords had been leaked, stating that login passwords remain securely encrypted and were never accessible during the attack. Instead, a separate telephone verification field known as “password_c,” used as a customer challenge code, was included for a limited number of customers. The company has since discontinued using that verification method.
Customer Support and Security Measures Expanded
Following the breach, Odido increased customer support by adding more than 140 service agents and introduced additional security measures. These include its “Check je Gesprek” verification service, allowing customers to confirm whether communications claiming to be from Odido are legitimate, along with access to the F-Secure digital security service.
The telecom provider said all customers identified as affected have been notified by email or SMS, while customer service teams continue assisting users with questions related to their specific data exposure.
Meanwhile, Dutch authorities expect investigations into the Odido cyberattack to continue for several months. Police have also warned that cyberattacks targeting businesses and institutions are becoming increasingly common, urging organizations to strengthen cybersecurity defenses and encouraging citizens to remain vigilant against follow-on fraud and phishing attempts.

