ShinyHunters Threatens 21M Odido Records Leak Including Plaintext Passwords and Passports
3 min. read 
Published on
ShinyHunters claims breach of 21 million records from 8 million Odido/BEN NL telecom customers. Dark web post demands low seven-figure ransom by February 26, 2026, or full dump publishes. Alleged data spans plaintext passwords, IBANs, passports, driver licenses, corporate source code.
Odido confirmed February 7-8, 2026 breach hit Salesforce customer contact system. Company disclosed 6.2 million affected with names, addresses, phones, emails, bank details, ID numbers. Core telecom services stayed operational throughout incident.
ShinyHunters disputes scope calling Odido disclosure inaccurate. Hackers claim 21M total records versus 6.2M admitted. “Final warning” message threatens additional “digital problems” beyond data leak.
Plaintext password field labeled “password_c” actually contains phone verification challenge words. Odido discontinued practice post-incident. National insurance numbers never stored in affected systems.
Phishing emails targeted customer service staff for Salesforce credentials. ShinyHunters specializes in social engineering against cloud environments. Previous Salesforce customer extortion campaign established pattern.
Exposed Data Table
| Data Type | Risk Level | Impact |
|---|---|---|
| Plaintext passwords | Critical | Account takeovers |
| Passport numbers | Critical | Identity theft |
| Driver’s licenses | High | Forgery attacks |
| IBAN bank details | High | Financial fraud |
| Corporate source code | High | Infrastructure vulns |
| Customer addresses | Medium | Physical targeting |
8 million customers span current and former accounts. Data retention practices face immediate scrutiny. Telecom sector identity exposure creates mass fraud vectors.
Attack Timeline
Feb 7-8, 2026: Salesforce phishing breach confirmed
Early Feb: Odido discloses 6.2M affected
Feb 24: ShinyHunters posts 21M record claim
Feb 26: Ransom deadline or data publishes
Dutch Banking Association guidance states IBAN changes unnecessary. Account numbers alone insufficient for online banking access without additional auth.
Source code exposure threatens infrastructure vulns. Internal documents enable targeted social engineering against remaining staff.
Immediate Customer Actions
- Monitor bank statements for unauthorized transactions
- Enable 2FA across all email/banking immediately
- Freeze credit reports through Dutch bureaus
- Watch for phishing referencing Odido breach
- Change passwords proactively across platforms
- Request identity monitoring through Odido portal
Regulatory scrutiny inevitable post-leak. GDPR fines loom alongside Dutch authority probes. Telecom sector faces heightened breach disclosure pressure.
ShinyHunters established pattern with tech giants previously. Mass credential stuffing campaigns anticipated post-dump. Dark web monitoring shows active negotiation attempts.
FAQ
8 million customers, 21 million total records claimed.
No. “password_c” field held phone verification words only.
Phishing emails targeting customer service staff credentials.
February 26, 2026 or full data publishes publicly.
No. Mobile, internet, TV remained operational throughout.
No changes needed. Account numbers alone insufficient for access.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages