On March 1, 2026, a hacking crew published the personal records of more than 6.5 million people on the dark web. The victims were customers of Odido, the largest telecom operator in the Netherlands, and the data dump capped a three-week extortion standoff that Dutch media called the worst data exposure in the country’s history. The crew behind it, ShinyHunters, did not break Salesforce. They phoned a help desk, talked their way past multi-factor authentication, and walked out with a CRM database.
The Odido leak is not an isolated incident. It is the latest entry in a campaign that has run since late 2024 and has named Google, Workday, Qantas, Allianz Life, Adidas, Coinbase, and dozens of other firms among its victims. This analysis breaks down what happened at Odido, how the wider ShinyHunters operation works, who got hit, and what security leaders should expect next.
What Happened in the Odido Data Breach
Odido is the rebranded former T-Mobile Netherlands, a carrier that also runs the budget brand Ben and serves a large share of the Dutch market. Over the weekend of February 7 and 8, 2026, attackers gained unauthorized access to a Salesforce customer system. Odido detected the intrusion, alerted the public on February 12, and initially put the number of affected customers at 6.2 million.
The final tally ran higher. Have I Been Pwned lists 6.1 million affected accounts and 6 million unique email addresses published across four separate releases. The breach-tracking service DataBreach.com logged 6,598,287 rows. Security firm UpGuard reported the final leak contained data for more than 6.5 million people plus 600,000 companies. ShinyHunters themselves claimed access to as many as 8 million customers and 21 million lines of data, a figure that would touch roughly one-third of the Dutch population. That last number is an attacker claim and has not been independently verified.
What makes the Odido case severe is the type of data exposed, not just the volume. The leak included permanent identity fields that customers cannot rotate the way they would a password.
What Personal Data Was Exposed
Across the four data releases, sources consistently list a deep set of personal fields. The confirmed categories include full names, home addresses, mobile numbers, email addresses, internal customer numbers, dates of birth, and IBAN bank account numbers. The dataset also carried identity-document data, including passport and driver’s license numbers with expiry dates, and in several accounts the Dutch citizen service number, or BSN, a unique identifier issued to every resident.
The most damaging category surfaced later: internal customer service notes. These free-text fields, written by support staff over years, held intimate detail. Public broadcaster NOS reported that notes recorded payment arrangements, whether a customer had a legal guardian, and warnings that an ex-partner might try to impersonate the contract holder to commit fraud. One nuance worth flagging: according to community analysis of the dump, scans of ID documents were not in the leak itself, only internal reference links to where those images were stored.
For a fuller primer on how exposures like this unfold and what attackers do with the data afterward, see our explainer on how data breaches happen.
Odido Breach Timeline: From Vishing Call to Dark Web Dump
| Date (2026) | Event |
|---|---|
| February 7 to 8 | ShinyHunters gain unauthorized access to Odido’s Salesforce customer system over the weekend |
| February 12 | Odido publicly discloses the breach, initially citing 6.2 million affected customers |
| February 26 | Breach added to Have I Been Pwned; extortion deadline expires after Odido refuses the ransom |
| February 26 to 27 | Attackers begin staged releases, threatening to publish 1 million records per day |
| March 1 | Full dataset published to the dark web, covering 6.5 million-plus people and 600,000 companies |
| March (ongoing) | Dutch Public Prosecutor’s Office opens a criminal investigation into the attack |
The compressed timeline matters. Only three weeks separated the first intrusion from full publication. That speed leaves victim organizations almost no room to contain exposure once data has left the building, which is why prevention at the access layer is the only reliable defense.
The Ransom Demand and Odido’s Refusal
ShinyHunters demanded more than 1 million euros and set a deadline of February 26, according to reporting from Dutch outlet IO+. The crew threatened to release 1 million customer records every day starting February 27 if the company did not pay. In their final message before the dump, the attackers wrote, “This is your final warning. Otherwise, we will leak the data.”
Odido did not pay, and the attackers followed through. The decision mirrors the public stance Salesforce has taken across the whole campaign. A Salesforce spokesperson told Cybersecurity Dive in late 2025, “I can confirm Salesforce will not engage, negotiate with or pay for any extortion demand.” Refusing ransom is the position most law enforcement agencies recommend, since payment funds future attacks and rarely guarantees deletion. The cost, as Odido’s customers learned, is that the data goes public anyway.
Who Are ShinyHunters?
ShinyHunters began as a mass data-theft gang trafficking stolen databases. In 2024 the group pivoted to cloud-platform extortion, and through 2025 and 2026 it built one of the most prolific campaigns of the decade. The crew has repeatedly claimed affiliation with two other notorious groups, Scattered Spider and Lapsus$, and security researchers now treat the three as an overlapping collective sometimes branded “Scattered LAPSUS$ Hunters.”
Attribution is deliberately messy. Google’s Threat Intelligence Group and Mandiant track the intrusion activity as UNC6040 and the follow-on extortion as UNC6240, the actor that contacts victims claiming to be ShinyHunters. The FBI, in a September 2025 FLASH alert, covered both UNC6040 and a related cluster, UNC6395. Researchers at Obsidian Security wrote that “evidence strongly suggests that ShinyHunters and Scattered Spider collaborated during the 2025 Salesforce attacks, with both groups using overlapping tradecraft,” noting Telegram chatter that points to a partnership or merger. The same hands that hit Odido also feature in our coverage of the Canvas data breach and the Jaguar Land Rover attack.
How the ShinyHunters Salesforce Attack Chain Works
The most important fact about this campaign is what it is not: it is not a Salesforce software exploit. Salesforce has repeatedly stated the breaches stem from phishing, abuse of third-party integrations, or customer misconfigurations rather than any vulnerability in its platform. The attack chain is almost entirely social engineering layered on top of legitimate features.
Step One: The Vishing Call
Since October 2024, UNC6040 operators have opened attacks with voice phishing, or vishing. An attacker phones an employee while posing as internal IT support, sometimes using live calls and sometimes pre-recorded menus. The goal is to build enough trust to walk the target through a quick “fix” or “verification” step.
Step Two: The Malicious Connected App
The employee is guided to Salesforce’s Connected App authorization page and asked to approve a malicious app, often a modified version of the legitimate Salesforce Data Loader tool. Approval hands the attacker OAuth tokens. Because OAuth tokens authorize an app rather than re-prompt for a login, they sail straight past multi-factor authentication. This is the same MFA-bypass logic that makes strong app-level controls so important; our guide to two-factor authentication explains where token-based flows fit.
Step Three: Bulk Export and Extortion
With valid tokens, the operators query the Salesforce API and pull large volumes of CRM data directly. The data then passes to the extortion arm, which contacts the victim with a ransom demand and a deadline. A separate path in the same ecosystem abused stolen OAuth tokens from the Salesloft Drift integration to reach Salesforce instances; Cybersecurity Dive reported that path alone touched 760 organizations.
Major ShinyHunters Salesforce Victims in 2025 and 2026
The victim list reads like a cross-section of the global economy: technology, aviation, insurance, luxury retail, education, and telecom. The table below summarizes prominent publicly named or implicated targets. Where a figure is an attacker claim rather than a confirmed count, that is noted.
| Organization | Sector | Records / Scope | Status |
|---|---|---|---|
| Odido | Telecom (Netherlands) | 6.5M+ people, 600K companies | Confirmed, data leaked |
| Google (corporate Salesforce) | Technology | Disclosed intrusion | Confirmed victim |
| Workday | Enterprise software | Disclosed intrusion | Confirmed victim |
| Qantas | Aviation | Customer data | Confirmed victim |
| Allianz Life | Insurance | Customer data | Confirmed victim |
| LVMH brands (Louis Vuitton, Chanel) | Luxury retail | Customer data | Named victims |
| McGraw-Hill | Education publishing | Up to 45M claimed (unverified) | Confirmed breach, April 14, 2026 |
| Salesforce campaign overall | Cross-sector | 1B+ records claimed (unverified) | Actor claim, 39 firms on leak site |
ShinyHunters told the press it had targeted “several hundreds of companies” in what it labeled the “Salesforce Aura Campaign.” A leak site the group launched in 2025 listed data tied to 39 major companies and claimed more than 1 billion personally identifiable records in total. Those headline numbers blend confirmed breaches with unsubstantiated boasts, so treat the billion-record figure as a marketing claim by criminals, not an audited count.
The Experience Cloud Misconfiguration Wave of 2026
In early 2026 the campaign added a second technique that required no phone call at all. On March 7, 2026, Salesforce warned that attackers were “exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended.” Experience Cloud powers public-facing portals, and when guest-user permissions are set too loosely, an unauthenticated visitor can query backend objects directly.
The Black Kite Research Team reported that this wave, which began in early March 2026, affected “hundreds of websites and potentially more than one hundred major organizations, including technology and cybersecurity companies.” ShinyHunters threatened to start releasing the stolen Experience Cloud data on March 14, 2026. FINRA issued a cybersecurity alert to financial firms on the same theme. McGraw-Hill confirmed a breach traced to a Salesforce misconfiguration on April 14, 2026, after ShinyHunters claimed 45 million records, a number McGraw-Hill disputed as limited and non-sensitive. This misconfiguration angle echoes the recurring lesson from cloud incidents that defaults left too open become the breach.
Market Impact: The Real Cost of SaaS Supply-Chain Breaches
The financial and trust costs of this campaign land in several places at once. For Salesforce customers, the breaches expose a hard truth: outsourcing data to a SaaS platform does not outsource the liability. Under GDPR, the data controller, in Odido’s case the telecom itself, carries responsibility for protecting personal data regardless of where it sits. Odido has not yet been fined, and no decision from the Dutch Data Protection Authority had been confirmed at the time of writing, but legal exposure looms given the volume of sensitive identifiers exposed.
For the broader market, the campaign reframes vishing and OAuth abuse as enterprise-grade threats rather than consumer nuisances. The pattern follows the credential economy documented in our report on infostealers that stole 1.8 billion credentials: identity is the perimeter, and human trust is the softest part of it. Companies now face rising cyber-insurance premiums, mandatory breach-notification costs, and the slow erosion of customer confidence that follows every major leak. The Coupang case, covered in our analysis of its 33.7 million-victim breach and $409 million fine, shows how steeply regulators can price negligence.
How Odido Compares to Other 2025-2026 Breaches
Placing Odido beside other recent incidents shows both its scale and the common thread of identity-based attacks running through the year. The table contrasts headline figures.
| Incident | Year | People Affected | Root Cause | Threat Actor |
|---|---|---|---|---|
| Odido | 2026 | 6.5M+ | Vishing into Salesforce CRM | ShinyHunters |
| Coupang | 2025-2026 | 33.7M | Insider / authentication flaw | Former engineer |
| Canvas | 2026 | 275M | SaaS data theft | ShinyHunters |
| Jaguar Land Rover | 2025 | Operational shutdown | Social engineering | Scattered Spider-linked |
| McGraw-Hill | 2026 | Up to 45M (claimed) | Salesforce misconfiguration | ShinyHunters |
The common denominator is striking. Four of the five incidents trace back to social engineering or misconfiguration rather than novel malware or zero-day exploits. Attackers have learned that the cheapest way into a hardened cloud platform is to ask an employee politely while pretending to be IT.
Historical Context: From Snowflake to Salesforce
The Salesforce wave did not appear from nowhere. ShinyHunters earned its reputation years earlier with breaches at Ticketmaster and dozens of other firms, and in 2024 the group was central to the Snowflake data-theft spree that hit customers who had not enabled MFA. The throughline is consistent: rather than attacking the platform vendor, the crew targets the customers’ weakest configuration or their staff.
What changed in 2025 and 2026 is industrialization. The group merged tradecraft with Scattered Spider’s help-desk impersonation expertise, automated reconnaissance against public portals, and ran a leak site as a pressure mechanism. Arrests of alleged members in 2024 and 2025 slowed but did not stop the operation, a reminder that loosely affiliated collectives regenerate faster than law enforcement can dismantle them.
Expert Analysis: Why This Campaign Keeps Working
Security researchers converge on a single explanation: the attack exploits trust and configuration, not code. The FBI’s September 2025 FLASH alert stated plainly that “since October 2024, UNC6040 threat actors have obtained initial access by leveraging social engineering attacks, in particular voice phishing, to gain access to organizations’ Salesforce accounts.”
Obsidian Security’s analysis of the June and July 2025 wave noted that the attackers “did not exploit any Salesforce platform vulnerabilities. Instead, they used traditional voice phishing combined with malicious OAuth Connected Apps to obtain tokens, granting API access and enabling bulk exports of CRM data.” MITRE, which catalogs the campaign as C0059, confirms the two-actor structure: initial theft by UNC6040, extortion by UNC6240 “who claimed to be the ShinyHunters group.” Salesforce, for its part, maintains the incidents “do not involve any vulnerability in the company’s own technology.” The agreement across the FBI, Mandiant, Obsidian, and the vendor itself is the clearest signal that the fix lies in process and permissions, not patches.
Predictions: What Comes Next for SaaS Security
Based on the trajectory through mid-2026, five developments look likely:
- OAuth governance becomes a board-level metric. Expect organizations to inventory and aggressively restrict Connected Apps, treating third-party token grants the way they already treat privileged accounts.
- Help-desk verification gets hardened. Vishing-resistant identity proofing, such as callback procedures and manager approval for access changes, will move from best practice to baseline policy.
- Regulators sharpen focus on data minimization. The Odido customer-service-notes exposure highlights retention abuse; expect GDPR enforcement on storing more data than needed and keeping ex-customer records for years.
- SaaS vendors push secure defaults. Salesforce and peers will likely tighten guest-user and Experience Cloud permissions out of the box after the 2026 misconfiguration wave.
- The collective fragments and rebrands. Arrests will continue, but the ShinyHunters, Scattered Spider, and Lapsus$ overlap suggests the talent will resurface under new names rather than disappear.
How Organizations Can Defend Against ShinyHunters Tactics
Because the attack rides on legitimate features, defense centers on limiting what a single compromised session can do. Practical controls include enforcing an allowlist of approved Connected Apps so unknown OAuth grants are blocked by default, restricting which users can authorize third-party apps, and applying IP-based login ranges to the Salesforce API. Monitoring for abnormal bulk data exports catches exfiltration in progress, and tight Experience Cloud guest-user permissions close the misconfiguration door.
On the human side, the single highest-value step is help-desk hardening. Staff who can be talked into approving an app or resetting a credential are the entry point, so verification procedures that do not rely on caller-provided information matter more than any technical control. Data minimization closes the back end: the less sensitive data sits in a CRM, and the shorter it is retained, the smaller the blast radius when, not if, an account is compromised.
Frequently Asked Questions
How many people were affected by the Odido data breach?
Odido initially reported 6.2 million customers. The final dark-web leak covered more than 6.5 million people plus 600,000 companies, with Have I Been Pwned listing 6.1 million accounts and DataBreach.com logging nearly 6.6 million rows. ShinyHunters claimed up to 8 million customers and 21 million lines of data, but that figure is unverified.
Did ShinyHunters hack Salesforce itself?
No. Salesforce states repeatedly that no vulnerability in its platform was exploited. ShinyHunters used voice phishing to trick employees into authorizing a malicious app or exploited customer misconfigurations in Experience Cloud. The platform was the destination, not the weakness.
What data was stolen in the Odido breach?
Names, addresses, phone numbers, email addresses, dates of birth, IBAN bank account numbers, customer numbers, passport and driver’s license numbers, and in some cases the Dutch BSN. Internal customer-service notes containing highly sensitive personal detail were also exposed.
Did Odido pay the ransom?
No. ShinyHunters demanded more than 1 million euros. Odido refused, and the attackers published the full dataset on March 1, 2026. The Dutch Public Prosecutor’s Office has opened a criminal investigation.
Which other companies has ShinyHunters hit?
Publicly named or implicated victims include Google’s corporate Salesforce instance, Workday, Qantas, Allianz Life, LVMH brands, Adidas, Coinbase, and McGraw-Hill. The group claimed to have targeted several hundred companies in its Salesforce campaign.
How can my organization defend against this attack?
Restrict and allowlist Salesforce Connected Apps, limit who can authorize OAuth grants, harden help-desk identity verification against vishing, monitor for abnormal bulk exports, tighten Experience Cloud guest permissions, and minimize the sensitive data you store and retain.
Related Coverage
- Canvas Data Breach: 275M Hit by ShinyHunters
- Coupang Data Breach: 33.7M Hit, $409M Fine
- Jaguar Land Rover Cyber Attack: £1.9B Hit
- Infostealers Stole 1.8B Credentials in 2025
- Data Breaches: How They Happen and How to Protect Yourself
- Online Security Explained: A Practical Guide
