Hacker group ShinyHunters posts Odido customer data online for third consecutive day NL Times
Hacker group ShinyHunters posts Odido customer data online for third consecutive day
Hacker group ShinyHunters has posted stolen Odido customer data online for the third day in a row. The earlier batch of stolen customer data from Dutch telecom company Odido has revealed highly sensitive information about victims of stalking and domestic violence, raising warnings that the breach poses real physical safety risks, RTL reported.
According to Odido, data from 6.2 million current and former customers was taken, including names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers. The hackers claim to have stolen information from over 8 million people and demanded a ransom of more than 1 million euros, threatening to publish 1 million lines of data each day until Odido paid. The company has refused to pay. ShinyHunters said it will release more Odido data over the next two weeks if the company does not pay. Odido confirmed it will not pay a ransom.
“We gave you the chance to resolve this quietly within a few days. Instead, you chose delay and disclosure. The consequences will now be public, prolonged, and costly,” the hackers said.
RTL identified detailed internal customer notes in the second batch, describing stalking, threats, domestic violence, and protected addresses. At least five people are noted as being stalked by an ex-partner. Other entries relate to domestic abuse or customers whose addresses were intentionally shielded for safety. Sensitive information affecting 13 people was identified, with ten having contact with Odido in the past six months. Most of the victims are women. Experts say that for people in these situations, secrecy around phone numbers and home addresses is essential, but the data is now publicly accessible.
“It is bizarre and extremely worrying that such sensitive information about victims of stalking and domestic violence has ended up on the street,” a spokesperson for Veilig Thuis, the national reporting center for domestic violence, told RTL. “This is not ordinary personal data, but information that directly affects someone’s safety. The idea that details about your situation could be public increases fear and insecurity.”
Veilig Thuis added that perpetrators, particularly ex-partners, actively seek personal information to regain contact or exert control. “When this type of data is available, it can be misused. That makes this especially serious. It affects people who are often doing everything they can to make their lives safe and stable again.”
Police response
Dutch police said they are not aware that specific data about stalking victims has been published. “Victims of stalking can contact the police, and we will see how we can help,” Stan Duijf, head of special operations at the national police, told RTL. He urged the public to be alert to suspicious emails, phone calls, and messages. “If you don’t trust it, verify it. Always do an extra check before responding or sharing information.”
Duijf said authorities are working on two fronts: identifying the perpetrators and limiting further distribution of the data. “But the speed of the internet is sometimes faster than the speed of the police.” The country where the hackers are operating is not yet known.
Odido reportedly stored sensitive details in a special free-text field in its customer system for internal notes. These fields include explicit instructions, such as not disclosing a customer’s home address, along with the reason, including stalking, domestic violence, or harassment.
“Data about stalking and domestic violence is by definition extremely vulnerable,” the Veilig Thuis spokesperson said. “Organizations should always question whether it is necessary to record such information, how long it is kept, and whether security is truly at the highest level.”
The stolen data is no longer confined to the dark web. Ethical hacker Sijmen Ruwhof said the information is now available on the open internet. “With a single click, anyone with an internet connection can download the leaked personal data without special software,” he told RTL.
In a statement, the Odido said it would not comment on whether data related to domestic violence or stalking is included. It advised anyone who feels unsafe to contact the police and offered to help customers check whether their data was published and, if needed, obtain a new phone number.
The hackers previously published hundreds of thousands of records on the dark web on Thursday and Friday. NOS reported that the breach likely occurred through phishing attacks on customer service employees’ accounts, though Odido declined to confirm the method
Hacker group ShinyHunters has posted stolen Odido customer data online for the third day in a row. The earlier batch of stolen customer data from Dutch telecom company Odido has revealed highly sensitive information about victims of stalking and domestic violence, raising warnings that the breach poses real physical safety risks, RTL reported.
According to Odido, data from 6.2 million current and former customers was taken, including names, addresses, phone numbers, dates of birth, bank account numbers, and ID numbers. The hackers claim to have stolen information from over 8 million people and demanded a ransom of more than 1 million euros, threatening to publish 1 million lines of data each day until Odido paid. The company has refused to pay. ShinyHunters said it will release more Odido data over the next two weeks if the company does not pay. Odido confirmed it will not pay a ransom.
“We gave you the chance to resolve this quietly within a few days. Instead, you chose delay and disclosure. The consequences will now be public, prolonged, and costly,” the hackers said.
RTL identified detailed internal customer notes in the second batch, describing stalking, threats, domestic violence, and protected addresses. At least five people are noted as being stalked by an ex-partner. Other entries relate to domestic abuse or customers whose addresses were intentionally shielded for safety. Sensitive information affecting 13 people was identified, with ten having contact with Odido in the past six months. Most of the victims are women. Experts say that for people in these situations, secrecy around phone numbers and home addresses is essential, but the data is now publicly accessible.
“It is bizarre and extremely worrying that such sensitive information about victims of stalking and domestic violence has ended up on the street,” a spokesperson for Veilig Thuis, the national reporting center for domestic violence, told RTL. “This is not ordinary personal data, but information that directly affects someone’s safety. The idea that details about your situation could be public increases fear and insecurity.”
Veilig Thuis added that perpetrators, particularly ex-partners, actively seek personal information to regain contact or exert control. “When this type of data is available, it can be misused. That makes this especially serious. It affects people who are often doing everything they can to make their lives safe and stable again.”
Police response
Dutch police said they are not aware that specific data about stalking victims has been published. “Victims of stalking can contact the police, and we will see how we can help,” Stan Duijf, head of special operations at the national police, told RTL. He urged the public to be alert to suspicious emails, phone calls, and messages. “If you don’t trust it, verify it. Always do an extra check before responding or sharing information.”
Duijf said authorities are working on two fronts: identifying the perpetrators and limiting further distribution of the data. “But the speed of the internet is sometimes faster than the speed of the police.” The country where the hackers are operating is not yet known.
Odido reportedly stored sensitive details in a special free-text field in its customer system for internal notes. These fields include explicit instructions, such as not disclosing a customer’s home address, along with the reason, including stalking, domestic violence, or harassment.
“Data about stalking and domestic violence is by definition extremely vulnerable,” the Veilig Thuis spokesperson said. “Organizations should always question whether it is necessary to record such information, how long it is kept, and whether security is truly at the highest level.”
The stolen data is no longer confined to the dark web. Ethical hacker Sijmen Ruwhof said the information is now available on the open internet. “With a single click, anyone with an internet connection can download the leaked personal data without special software,” he told RTL.
In a statement, the Odido said it would not comment on whether data related to domestic violence or stalking is included. It advised anyone who feels unsafe to contact the police and offered to help customers check whether their data was published and, if needed, obtain a new phone number.
The hackers previously published hundreds of thousands of records on the dark web on Thursday and Friday. NOS reported that the breach likely occurred through phishing attacks on customer service employees’ accounts, though Odido declined to confirm the method
