Brinztech Alert: Alleged Database of Odido and Ben.nl Leaked on Dark Web

Dark Web News Analysis

Cybersecurity intelligence from February 24–26, 2026, has identified a critical escalation regarding the data breach of the Dutch telecommunications giant Odido and its virtual mobile network Ben NL. This follows an earlier disclosure on February 12, where Odido confirmed a breach of its Salesforce-based customer contact system affecting 6.2 million users.

On February 24, the notorious threat actor group ShinyHunters posted a final warning on their dark web blog, claiming the exfiltration was far larger than initially reported—totaling 21 million records. The group threatened to leak a sample of 1 million records by Thursday, February 26, 2026, if their ransom demands were not met. The exfiltrated data reportedly includes:

• Personally Identifiable Information (PII): Full names, physical addresses, and mobile phone numbers.
• Sensitive Identity Assets: Passport numbers and driver’s license numbers.
• Financial Metadata: International Bank Account Numbers (IBAN).
• Critical Security Risk: Unlike Odido’s initial claim that passwords were safe, ShinyHunters alleges the database contains plaintext passwords.
• Technical Entry Point: The breach is traced to a social engineering/phishing attack against customer service employees, allowing hackers to bypass MFA by impersonating IT staff and scraping the Salesforce environment.

Key Cybersecurity Insights

The breach of Odido/Ben represents a “Tier 1” threat due to the extreme volume of data points and the presence of plaintext credentials:

• Plaintext Password Crisis: If ShinyHunters’ claim is accurate, this is a catastrophic failure. Attackers can perform Account Takeover (ATO) without encryption hurdles, and because users frequently reuse passwords, they can pivot into banking, social media, and the DigiD portal (the Dutch national identity system).
• Industrialized Identity & Loan Fraud: The combination of passport numbers, IBANs, and full PII is a “golden record” for identity thieves. Attackers can use this data to open fraudulent bank accounts, apply for credit lines, or bypass digital KYC (Know Your Customer) checks on international financial platforms.
• Hyper-Personalized Spear-Phishing: Armed with this metadata, scammers can launch lures that are 100% convincing. A customer is highly likely to trust a notification regarding “urgent payment verification” if it cites their legitimate bank account and ID details.
• “Code Word” Exposure: Odido clarified that a field named password_c (a challenge word used for telephone verification) was leaked. While not a portal password, this allows attackers to impersonate customers over the phone to customer service, potentially performing unauthorized SIM swaps or plan changes.

Mitigation Strategies

To protect your digital identity and ensure financial resilience following this exposure, the following strategies are urgently recommended:

• Immediate Password Rotation for All Services: Even though Odido maintains that “My Odido” portal passwords are encrypted, the ShinyHunters claim warrants immediate action. Change your Odido/Ben password and every other account that uses the same or similar credentials.
• Enforce App-Based Multi-Factor Authentication (MFA): Move beyond SMS-based security, which is vulnerable to SIM swapping. Enable App-Based MFA (e.g., Google Authenticator, Microsoft Authenticator) for all financial and communication portals.
• Zero Trust for “Official” Communications: Treat any unsolicited call or email from “Odido,” “Ben,” or your “Bank” asking for a “verification code” or “ID update” as a scam. Always verify the request by logging directly into the official portal or calling a verified customer service number from the company’s website.
• Monitor Bank and ID Records: Regularly check your bank statements for unauthorized direct debits. If your passport or license number was leaked, monitor for any unusual letters from government agencies or credit providers. Consider reporting your document as potentially compromised to the Rijksdienst voor Identiteitsgegevens (RvIG) if you detect fraud.

Secure Your Future with Brinztech — Global Cybersecurity Solutions

From national telecommunications giants and ISPs to global enterprise groups, Brinztech provides the strategic oversight necessary to defend against evolving digital threats. We offer expert consultancy to audit your current IT policies and GRC frameworks, identifying critical vulnerabilities in your CRM management and employee social engineering defenses before they can be exploited. Whether you are protecting a national subscriber base or a private corporate network, we ensure your security posture translates into lasting technical resilience—keeping your digital footprint secure, your subscribers’ data private, and your future protected.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com