Right. Gather round. Because this one is a special kind of stupid that deserves careful examination.

The largest telecom in the Netherlands — Odido, which serves roughly a third of the entire Dutch population — got absolutely folded by ShinyHunters back on February 7th-8th, 2026. We’re talking about 8 million customers’ data walking out the door: full names, addresses, phone numbers, email addresses, dates of birth, customer numbers, IBAN bank account numbers, passport numbers, and driver’s license numbers. Oh, and according to Cybernews and RTL’s reporting, potentially plaintext passwords too. Plaintext. In 2026. Storing plaintext passwords in 2026. Let that marinate for a moment.

ShinyHunters initially demanded over a million euros ransom. Odido apparently didn’t play ball — and as Reuters reported on February 26th, the hacking group then started publishing the data anyway. Eight million records. Over a third of the Netherlands. Published. Done.

What Actually Happened

Here’s the part that makes me genuinely furious. This wasn’t some exotic zero-day. This wasn’t a state-sponsored nation-state actor with a decade of R&D budget. According to Cybernews and analysis from multiple security researchers, ShinyHunters got into Odido’s Salesforce environment by doing something absolutely ancient and completely avoidable: they sent phishing emails to individual Odido customer service staff members and asked for their login credentials. Staff provided them. That’s it. That’s the whole intrusion.

Phishing emails. To customer service reps. Who then handed over their Salesforce credentials.

From that single initial access point, ShinyHunters pulled 6.2 million records in the initial breach — names, addresses, emails, phones, IBANs, birth dates, ID numbers. Then, as NOS reporting later revealed (and as the LinkedIn analysis from Dutch security circles confirmed), there were also sensitive internal customer service notes stolen — detailed notes that Odido initially didn’t disclose to customers because, apparently, they didn’t know those notes were included. A company that size, serving a third of the Netherlands, and they needed the national broadcaster to tell them what data they’d lost. Their own incident response team didn’t think to request a data sample from the attackers to understand the full scope of the breach.

That’s not an incident response process. That’s a disaster response process happening without any of the preparation that should have preceded it.

ShinyHunters then escalated on February 24th, claiming on their dark web leak site they actually had 21 million records — not the 6.2 million Odido initially acknowledged — from both Odido and its virtual mobile network Ben NL. They posted a “final warning” demanding a “low seven-figure ransom” (Reuters and BleepingComputer both covered the extortion escalation) with a deadline of February 26th. Odido didn’t pay. ShinyHunters published.

Why It Matters

Eight million records of Dutch citizens — roughly the adult population of a major European country — are now floating around criminal marketplaces. And this isn’t just email addresses and phone numbers, annoying as those are. We’re talking IBANs. Passport numbers. Driver’s license IDs. Birth dates. Potentially plaintext passwords.

The identity theft exposure here is enormous. With a full name, IBAN, birth date, address, and a government ID number, a motivated fraudster has essentially everything they need to open credit accounts, commit banking fraud, conduct targeted social engineering against banks and insurance companies, or sell the package on to other criminal operations. ShinyHunters knows this. That’s the whole business model.

For the broader European context, this is also a spectacular GDPR failure. The General Data Protection Regulation requires notification within 72 hours of becoming aware of a breach. It requires that organizations understand what data was compromised. It requires disclosure to affected individuals. Odido found out from NOS — the Dutch public broadcaster — that internal customer service notes had been stolen. They updated their website after being contacted by a journalist. That’s the kind of compliance posture that makes the Dutch Data Protection Authority very, very interested in your organization, and should make your legal team very, very nervous.

What Went Wrong

Let me count the failures, because there are several and they deserve individual attention.

One: No MFA on Salesforce. If a phishing email to a customer service rep is sufficient to compromise your Salesforce CRM environment — an environment containing 8 million customers’ personal data including IBANs and government IDs — you don’t have MFA on that system. In 2026. There is no excuse for this. Multi-factor authentication on any system containing sensitive customer PII is not optional, it is the absolute baseline minimum. The Sophos 2026 Active Adversary Report found that 67% of all incidents they investigated were rooted in identity-based attacks. ShinyHunters specifically targeted Salesforce and used social engineering credentials. This is the playbook they’ve used before — they went after Salesforce broadly in 2025 threatening hundreds of customers. And yet here we are.

Two: Plaintext passwords. If the Cybernews claims about plaintext passwords in the stolen data are accurate, Odido was storing plaintext passwords in their systems in 2026. I don’t have a polite way to say this: that is a fundamental, inexcusable, career-ending security failure for whoever designed or approved that system. You hash passwords. With a proper modern algorithm — bcrypt, Argon2, scrypt. You’ve been able to hash passwords since before the internet existed. There is no technical justification for plaintext password storage at any point in the last three decades. If this is confirmed, it’s a GDPR notification that includes “we stored your password in plaintext” which is going to go down brilliantly with eight million customers.

Three: Inadequate data inventory. Odido didn’t know their own customer service notes were included in the breach until a journalist showed them. That tells you their data inventory — their understanding of what data exists, where it lives, and how it’s related — is fundamentally incomplete. You cannot protect what you don’t know you have. You cannot notify customers about data you didn’t know was in the system. This is the kind of data governance failure that looks straightforward from the outside but reflects years of accumulated technical debt and organizational neglect.

Four: No incident response rehearsal. The appropriate response when you suffer a breach at this scale is to immediately request a data sample from the attackers (if they’re communicating) to understand scope, conduct a comprehensive forensic analysis of what systems were accessed and what data was touched, and notify affected individuals of everything that was taken. Odido’s actual response was to announce a smaller number, get corrected by a national broadcaster, update their website, and watch ShinyHunters publish anyway. That’s not a rehearsed IR process. That’s improvisation under fire.

As I’ve discussed in my work on socio-technical cybersecurity, the human layer is consistently the weakest link — not because humans are stupid but because organizations don’t train, test, or design systems that account for human behavior under social engineering pressure. A customer service rep who hands over Salesforce credentials to a phishing email isn’t stupid. They’re untrained, unsupported by technical controls, and working in an environment where bad actors know exactly what psychological levers to pull. That’s an organizational failure, not an individual one.

The Fixer’s Playbook

MFA on everything that touches PII. Today. Not next sprint. Not Q3. Today. Salesforce, your CRM, your customer support platforms, your helpdesk tools. Phishing-resistant MFA — hardware tokens or passkeys — wherever possible. SMS-based MFA is better than nothing but it’s not the finish line. The credential-phishing-to-CRM-compromise attack chain that ShinyHunters used against Odido is not sophisticated. It works because MFA is absent.

Audit your password storage. If you have any system, anywhere, storing passwords in plaintext or with reversible encryption, that needs to be fixed before you finish reading this sentence. Bcrypt minimum. Argon2 preferred. This is not a security luxury. It is the baseline.

Know your data. Run a data discovery exercise. Map where PII lives across all your systems, including the ones that have grown organically over years and nobody really manages anymore. Customer service note fields in CRMs are famous for containing all sorts of sensitive data that got entered informally and never classified. If you don’t know what data you have, you can’t protect it and you can’t fulfill your GDPR notification obligations accurately.

Train customer-facing staff on social engineering — specifically. Generic “don’t click phishing links” training isn’t enough. Staff who have access to CRM systems need specific training on credential-harvesting attempts, including scenarios where attackers claim to be IT support, vendors, or colleagues requesting system access. See my earlier post on how to handle security alerts as a human — the psychological dynamics of social engineering compliance are trainable if you actually invest in it.

Practice your incident response. Tabletop exercises for data breaches should be happening at minimum annually, and should specifically include scenarios where the initial scope assessment turns out to be wrong. “What if we find out we lost more than we thought?” is a question Odido clearly didn’t have a good answer to when NOS called.

The Final Call-Out

ShinyHunters published. The data is out. Eight million Dutch citizens are now navigating the aftermath of a breach that was entirely preventable with controls that have existed for a decade. No sophisticated zero-day. No nation-state capability. A phishing email and an absent MFA control.

The GDPR enforcement action that follows this is going to be interesting to watch. Dutch DPA doesn’t mess around. And Odido’s legal team is going to spend a lot of time explaining why they didn’t know their own system contained customer service notes until a TV broadcaster told them.

Somewhere, a Odido product manager who killed the MFA project because “it creates friction for support staff” is having a very bad week. Good.