As usual, reaction can go on this Mastodon post, or just tag or contact me any other way.
The Odido hack… I know I’m a bit late with this topic, but when it was happening I’ve been rather busy. Not because I’m a victim, luckily I’m not, but because many people I know are and many of them have questions with me being the only infosec person they know. And so I ended up discussing with my peers in the sector quite a bit, but more so helping people around me distinct fact from fiction and help them figure out what they can do best now. After that calmed down, to be honest, I had written half of this and needed some time off so I went playing games. Still, I wanted to get back and finish it, because it was such a big happening. Due to the size of this data breach, it was everywhere in the (Dutch) news, which of course causes many people to talk about it. And that talk contains useful info, but also a lot of bullshit.
So what about this blog? What’s it’s gonna be about. Many other people I know are infosec people themselves who have opinions. And well… I also have many opinions on what happened the passed few weeks. Some stuff is specific to the Odido hack and happenings related to it, some applies to data breaches in general. I’m just gonna write all of that here.
What we know, and what we don’t
We all known Odido got hacked, but who’s to blame? Many are saying Odido, but I find that a bit simple. Let’s get to that in a bit. First I want to talk about who for sure needs to be blamed. The “hackers” (technically, the crackers. Because hackers are generally not criminals, but simply people who use things in different ways than intended. Which isn’t bad, it’s how the internet was born). Anyway, they are the obvious bad guys. Who else? Well, anyone taking this data and using it for illicit purposes (like identity fraud). I think so far we can agree.
But what about Odido. They should have prevented this right? Well, it’s not that simple. Anything is hackable, every system and every human is. And that makes it complex. Odido has the duty to take adequate measures to protect this data, but we don’t know enough to know if they did. This hack has been executed by a group of professional cybercriminals, not some script kiddie who found some funny stuff online, but people who know what they’re doing. While it’s possible that Odido’s security was bad, it’s also really not unimaginable that Odido’s security is adequate according to industry norms, could even be above that, but that this happened regardless. It is also quite possible, and not very unlikely, that Odido gets attacked on a regular basis, mostly blocking everything off, which we never hear about.
Edit 11-03-2026: before posting this blog, I had heard rumours of Odido being warned about the vulnerabilities that led to this hack, which could make Odido much more to blame. If that is the case, I hope investigation also finds it and punishes Odido for it. However, the moments I had heard about this before posting this blog where “I read/heard somewhere that” hearsay without source. As a lot of things where said, not all equally true, I decided to let it be until more info was made public. After posting this blog, I’ve heard from people with good reputation that claim to personally have seen the communication with warnings lending some more credence to that story, so I wanted to add a little note about it with this edit.
However, the point was never that Odido hasn’t been neglectful or isn’t to blame for sure, but rather to tell people to not jump at conclusions tóó quick and to not forget that hacks are never fully avoidable. Wait until you know whát happened before you judge. I’ve seen random people without inside knowledge get angry day one blaming Odido, stating their security must be bad simply because they got hacked regardless of circumstances. That’s not reasonable nor realistic at all.
Honestly, when it comes to this, I mainly feel bad for the person who got social engineered into giving them access. As I said, every person can be hacked. Hit someone up the right way in the right moment, and they do that one stupid action. Everyone had moments they are less focussed, they have stuff going on, or get played despite being on top of their game. It happens to the best, and can happen to you too. If you think not so, you’re just more susceptible to it. Even if the person’s name is not in the media, just having the knowledge you caused this huge data leak and all the consequences that come from it and everyone in the media is talking about it does something to you.
That being said, don’t take this as me saying Odido should go free of criticism. While getting hacked can happen to everyone and we know to little to know if Odido has been negligible, if they have been they are too blame. They also definitely have made mistakes that we already know about. The most obvious, is keeping data longer than they promised. They themself claim they keep data up to 2 years after contracts end. At times, legal stuff might require data to be kept longer, sure. But Odido had data of people who had not been customer for over 10 years already. Even the Dutch tax office only requires invoice data (often containing some personal data) to be kept 7 years. There is no excuse for this other than Odido’s negligence.
Another issue is their communication. When the leak became public, they send a list with the data they knew was stolen to people. However, by now we know that many people who where in the leak did not receive emails, and the data in this mails wasn’t the full list. That means Odido did not inform everyone, and those who where informed still had important data missing. This, very much, is something to blame Odido for.
Crowdfunding privacy?
Odido decided not to pay. So then what do we do? Well, one person came with the “great” idea to crowdfund the money required (unrelated, but why is his blog exempt from The Internet Archive/Way Back Machine? Interesting… guess no copy in case he ever goes offline or silently changes content). He says he had “security specialists” on board, but they didn’t want to be mentioned any name. I find it funny, because I’ve spoken to quite a few security professionals and they all thought it was a joke at first, and when realising it’s not thought he was crazy.
Let me be clear: it’s a horrid idea. The only way to stop these hacks, is by making it not a viable business model and than only happens if no one pays. Not by making an extra business model that if the companies don’t pay, the people can instead. Furthermore, the data is already leaked and in hands of criminals. There is a good reason authorities always suggest you don’t pay.
And while it’s true that some criminal groups care about their reputation (after all if people find out you leak it anyway why would they still pay), there is no way of guaranteeing. It’s not unheard of that such data gets leaked after all, at times with hidden tracks to try to avoid people finding out it came from them. Something with having a cake and eating it too. There are also groups who, when this happens, keep asking more money or they release it anyway, keeping companies imprisoned in the ransom scheme. But even without that, group responsible doesn’t have a great track record. About half of the victims who did pay, ended up having the data (partially) leaked later on. So even if we go with this reputation talk, they already lost that reputation. They are not a group to apply this logic for anyhow…
It leaked, I have a right to know what’s in there!
So, regarding the fact we should consider it leaked regardless of payment: luckily more people saw how stupid the crowdfunding idea was and in the end there hasn’t been paid, and so the data got made public. What now? Well, of course people want to know whát exactly was leaked. Even if it wasn’t made public, people want that. But now that it is, finding out is easy right? You can just download it! Well… No… Or well, you could. But you shouldn’t.
You see, it’s illegal to download data that has been gotten my ill means. I’ve heard all kinds of gymnastics about this, but really most of those are bullshit. It simply is. The only exception to this, are groups of people with specific purposes. Journalists can be allowed due to the nature of their work, as well as certain people within law enforcement. And this is for good reason.
When you download data like this, you don’t just download your data. You download data of, in this case, 6,5 million people. That means you will have not just have personal data of yourself, but also personal data of 6499999 other people without their permission. If everyone does this, that also means 6499999 people will have yóúr data without your permission. It also means there would be 6,5 million extra places the data can spread further from, most of which far less secured than Odido’s servers. And that’s not accounting for all the people who download it to check if they are inside, but turn out not to be.
Maybe one of the most outlandish reasonings of why people would supposedly be allowed to download the data, is by trying to use Art. 40 Sr. of the Dutch law (the hack was in The Netherlands after all). This is, simply put, the law that says that when forced with no fault of your own, one could be excused from crimes. It exists for example for things like; if you’re held at gunpoint forced to do stuff. Obviously, that doesn’t go up here (or you would think it’s obvious). You can very well not download the data, and nothing changes. Because even if you do, that doesn’t stop others from accessing the data so any risk related to that (like identity fraud) doesn’t get mitigated. Then the arguing went to possibly needing to secure it as evidence it for future problems, but that also doesn’t add up. If it’s a criminal case, police has people authorised to have the data. If it’s civilian, then you can request it from Odido themselves, and even if that takes long, a judge can pause any actions in the mean time. You might not like to wait, but that’s no legal base.
What can I do?
Luckily, you don’t need to know the exact contents of all the leaked data. What you do need to know, is what type of data was leaked. Because that is enough to figure out the risks you need to protect yourself against. Beside, since it’s about you, and you gave the data to them, you should be able to figure out what the data itself was once you know what type of data it is.
Odido is supposed to tell you this, by law they have to. But as we already covered, they have not been doing a great job of that. Luckily, there are more options. The most legal one is Check Je Hack from the Dutch police. In fact, it’s technically the only legal one. Because as we just covered, you’re not allowed to download the whole dataset. That law also counts for services that will check your data for you. Even so, some of these are not within European jurisdiction and therefor can get away. And within that group, there is one that local law enforcement is kinda tolerating (I wish I had a better word for the Dutch term “gedogen”). That is, perhaps without surprise, Have I Been Pwned. I’ve heard some reports they give more info than Check Je Hack, so they might be worth checking.
And then? Worst case, you just found out all your data got spilled out. And now? Honestly, the answer is very unsatisfying: not much. You generally do good to change data that can be changed. Passwords and such for sure. You could maybe even change usernames and email addresses, and get a new passport. The AP (the Dutch privacy watchdog) has some good tips. But that’s pretty much it. Other than that, you can only pay attention and be on top of any possible issues. Be extra wary of phishing, of signs of identity theft, etc. etc.
The fact data got stolen in and of itself, is also not enough to get any compensation. As mentioned, getting hacked is not illigal in and of itself (an better so), only being neglectful is (and no doubt authorities are on that, but fines for that go to the state, not the victims). For the people who’s data has been stolen to be compensated, there needs to be some kind of damage, of which the monetarily value has be to specified. And until something happens, there is none yet. In The Netherlands, mental damages are very hard to get compensated to (as you need to prove the monetarily damage caused by it), so your stress isn’t likely gonna make you money. The only option here would be material damages. The most easy and widely applicable scenario; due to the data being leaked including passport-related data, many may request a new one. One could argue that the cost of this would be material damage. However one can also argue that this was not a necessity but something extra and therefor should not be paid by Odido. If the data had been leaked before, that might also impact as the monetarily value (and thus compensation) of the damage, as the damage from this hack specifically would be lower (the data was already leaked after all, so another leak does less damage than if it was still a secret). I think it’s gonna take bringing it in front of a judge to get to that, as the devil will be in de the details I suspect. So even on that front the answers are disappointing.
I kinda hate the end of this blog, to be honest. I wish I could give more concrete tips, some stuff you could do to ensure safety or at least be properly compensated. But alas, I fear there is no way to do so in honesty. And so all I can do is come to the conclusion that it’s a very shitty situation for everyone involved. For Odido, for the people who’s data is gone, I guess in a way even for the crackers who didn’t get money. Everyone looses, although I’m not sad about that last party loosing. Fuck those crackers.