A new data breach involving Dutch telecom provider Odido and its budget brand Ben has drawn attention after the ShinyHunters hacker group claimed to have stolen millions of customer records. While the attackers say sensitive data from roughly 21 million records is at risk, the company states that key account credentials and service operations remain unaffected.
ShinyHunters published the allegation on its dark web leak site last week, along with a message pressuring the company to return to negotiations. According to the post seen by Hackread.com, the stolen information includes names, addresses, email accounts, phone numbers, IBAN bank details, and identification data such as passport and driver’s license numbers. The threat actors claim they will release the data publicly if their demands are not met.
Odido Confirms Cyber Attack
In a security advisory published earlier today, Odido confirmed it experienced a cyberattack and acknowledged that customer data from a contact management system was accessed without authorization.
The company said its investigation is ongoing and that external cybersecurity specialists are assisting with containment and analysis. According to its official update, operational services, including mobile connectivity, internet access, and television, remain unaffected.
“Almost 21 million records containing Full Names, Physical addresses, email addresses, phone numbers, and plaintext passwords, IBANs, passport numbers, driver’s license numbers, and other internal corporate data have been compromised. This is a final warning to come back to our chat by Thursday this week and finish what we set out to do before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline. You know where to find us.”
ShinyHunters
The contrast between the attackers’ claims and the company’s statements show an early phase common in breach investigations. ShinyHunters claims that plaintext passwords and internal corporate information were included in the stolen data, while Odido says no passwords, call details, billing information, or location data were exposed. The company added that scans of identity documents were not accessed.
Early indicators suggest the data breach was detected during the weekend of February 7 and 8, when unusual activity triggered internal alerts. Odido said unauthorized access was terminated quickly after discovery, followed by additional security controls and increased monitoring across affected systems. The incident has been reported to the Dutch Data Protection Authority, and impacted customers received notification via email or SMS.
Although the company stresses that not all customers were affected, it acknowledged that exposed data may include personal identifiers such as full name, address, contact information, date of birth, bank account number, and identification document numbers.
This type of data is commonly used in phishing and impersonation scams, which is why the company advises customers to verify unexpected calls, avoid suspicious links, and carefully review invoices or financial requests.
ShinyHunters and Hacking Spree
The ShinyHunters group has spent years breaching companies and publishing stolen data, but over the past year, its operations have grown more aggressive and coordinated. A January 2026 report detailed how the group targeted more than 100 companies worldwide by using phone-based social engineering to bypass Single Sign On (SSO) protections.
That same method enabled the attackers to steal and leak millions of user records from companies, including SoundCloud, Crunchbase, and Betterment. The group claims it still holds data from hundreds of additional organizations and has warned that more leaks will follow if its demands are ignored.
Nevertheless, as investigations continue, the incident adds to a growing number of telecom sector breaches where attackers focus less on service disruption and more on harvesting personal information. The outcome will depend on whether the claims of large-scale data theft are verified and whether the attackers follow through on their threats to publish the data.
