The Open Door. What the Odido Breach Tells Us About Cyber Complacency.

On the weekend of February 7 and 8, 2026, someone walked through an open door at Odido. Not a back door. Not a zero-day exploit that required months of engineering. A door that was left open because the basics were not done well enough. By the time the alarm was raised, the personal data of millions of customers, including names, home addresses, bank account numbers, passport numbers and dates of birth, had already left the building.

This piece is not primarily about Odido. It is about what Odido represents: a pattern playing out across corporate Europe at speed, and a question every organisation handling sensitive customer data should be asking itself right now. Not "are we compliant?" but "are we genuinely prepared?"

What Actually Happened

The attacker does not need to break in. They just need someone inside to let them in.

Odido confirmed that attackers gained access to a customer contact system, described in independent reporting as a Salesforce CRM environment. The entry method was social engineering, a combination of phishing and credential manipulation targeting employees, not a technical vulnerability in Odido's core infrastructure. Once inside, the attackers exfiltrated data quietly, over a period of time, before anyone noticed.

The data confirmed stolen includes full names, addresses, mobile numbers, customer numbers, email addresses, IBANs, dates of birth, and identification document numbers with validity dates. Odido states this affected approximately 6.2 million customers across Odido NL and its sub-brand BEN.nl.

ShinyHunters disputes this figure. In direct communication with RTL Nieuws journalist Daniël Verlaan, the group stated: "Odido is lying. It concerns 8 million customers and a total of 21 million rows of data." That discrepancy, roughly 2 million additional customers and 15 million additional records, has never been addressed by Odido.

The Password That Was Not a Password

The field was called password_c. It was not a login password. It was something arguably more dangerous in this context.

ShinyHunters claimed to hold plaintext customer passwords. Odido flatly denied this, stating that "no passwords from Mijn Odido or other login systems have been leaked." Both statements are technically defensible. Neither tells the complete story.

What was actually leaked is a field in the Salesforce CRM named password_c. This is not a login password. It is a spoken verification code word, agreed between a customer and Odido for use when calling customer service to authorise account changes, the kind of thing a customer might use to verify their identity over the phone before changing a direct debit or updating an address.

Odido clarified this quietly, buried in the FAQ section of their official incident page, only after the "plaintext passwords" framing had already dominated media coverage for days. The correction is accurate. The timing of the clarification is worth noting.

The problem is not that Odido stored this field. The problem is that they stored it in plaintext. A spoken verification code, linked to a customer's name, address, IBAN and passport number, sitting in a CRM environment reachable via a phishing call. That is a security hygiene failure, regardless of what the field is called.

This Was Not Sophisticated. That Is the Point.

Salesforce was not the vulnerability. The access controls around it were.

When a major breach makes headlines, the instinct is to frame it as the work of elite nation-state actors using complex tools. It flatters the victim and satisfies the reader's appetite for drama. The reality here is considerably less glamorous, and considerably more alarming.

ShinyHunters did not crack Odido's encryption. They did not exploit a previously unknown vulnerability in network infrastructure. According to reporting by NOS, they used a combination of phishing and social engineering to gain access to a Salesforce environment, then downloaded data quietly before anyone noticed.

This playbook is not new and it is not unique to Odido. As investigative journalist Brian Krebs documented in October 2025, ShinyHunters launched an identical Salesforce campaign in May 2025, using voice phishing to trick employees at dozens of companies into connecting a malicious application to their organisation's Salesforce portal. The victims included Toyota, FedEx, Disney and UPS. Google's own Threat Intelligence Group, which tracks the group as UNC6040, confirmed the methodology. And notably, Google itself acknowledged that one of its own corporate Salesforce instances was compromised in the same campaign.

If Google, with its security resources and expertise, was caught in this net, the implication for the average Dutch enterprise is sobering. The sophistication barrier to this kind of attack is not high. What it requires is not elite skill. It requires a target that has left the door open.

The Law Is Not the Point

NIS2, the European Union's updated Network and Information Security directive, was supposed to be transposed into Dutch national law by January 1, 2025. It has not been. The Netherlands is formally in breach of EU rules on this point, and the Cyberbeveiligingswet, the Dutch implementation law, is not expected to take effect until Q2 2026.

Some have used this delay to suggest Odido's compliance obligations were not fully in force at the time of the breach. The argument goes: if the law is not law yet, the obligation does not fully apply.

This argument misses the point entirely.

Odido is a telecommunications provider handling the financial and identity data of more than six million people. They operated under the older Wbni framework, which already imposed meaningful security obligations on critical infrastructure operators. More fundamentally, the ethical obligation to protect customer data does not originate in a piece of legislation. It originates in the decision to accept that data in the first place.

ShinyHunters Is Not Finished

ShinyHunters at the centre. Odido, Harvard, Panera Bread, SoundCloud: the list keeps growing.

Understanding the Odido breach in isolation misses the larger picture. ShinyHunters is running an active, systematic campaign against organisations across Europe and North America using a consistent and documented playbook: identify companies using cloud CRM platforms, gain access via voice phishing, exfiltrate data quietly, apply extortion pressure through their dark web platform. Repeat.

When Salesforce itself was targeted as an intermediary in October 2025, ShinyHunters demanded Salesforce pay a single ransom covering all victims, stating that if Salesforce paid, all individual extortions would be withdrawn. Salesforce refused publicly, stating it would not engage with, negotiate with, or pay any extortion demand. Odido now faces the same choice individually.

The ShinyHunters Oven Is On. Who Is Next?

That is not a rhetorical question. It is a practical one. The attack vector being used here, social engineering into cloud CRM platforms, is not Odido-specific. It is sector-agnostic. Any organisation running customer data through a cloud-based CRM environment, which covers the overwhelming majority of medium and large enterprises across the Netherlands and Europe, is operating in the same threat landscape that Odido was in when this breach occurred.

The question every board, every CTO, every data protection officer should be sitting with today is not "could we be attacked?" The answer to that is yes, for nearly everyone. The question is: if ShinyHunters pointed their playbook at us tomorrow morning, what would they find?

Would they find multi-factor authentication enforced across all CRM access? Least-privilege controls limiting which employees can reach which customer data fields? Regular voice phishing simulation training with documented outcomes? A data minimisation policy that asks whether plaintext storage of verification codes in a customer-facing system is actually necessary? An incident response plan that has been tested, not just written and filed?

If the honest answer to any of those questions is "we are not sure," that is where the work starts. Not when the dark web post appears. Not when a journalist calls for comment. Now.

Odido's customers extended trust. Millions of them are now monitoring their bank accounts for unusual transactions, checking whether their passport details are being used to open fraudulent credit lines, and fielding suspicious calls from people claiming to be their bank. That is the real cost of complacency. It does not show up in a compliance audit. It shows up in the lives of the people whose data you were holding.