How Yivi could have significantly reduced the impact of the Odido data breach
← Back to Knowledge Base

How Yivi could have significantly reduced the impact of the Odido data breach

Yivi Team 9 min read
data breach privacy security decentralized Odido telecom identity verification cyber security

It’s the largest data breach in Dutch history. In early March 2026, the hacker group ShinyHunters published the complete dataset of stolen Odido customer data online after the telecom company refused to pay ransom. The result: personal data of 6.5 million Dutch citizens and 600,000 companies are now publicly available on the dark web.

For many, this news is shocking but not surprising. Large-scale data breaches seem to have become inevitable in our digital age. But that’s a dangerous misconception. The Odido breach wasn’t inevitable — it was the direct consequence of a fundamentally flawed system for storing and processing identity data.

There is an alternative. One where the impact of these kinds of mega data breaches can be dramatically reduced. One where users maintain control over their own data. One where companies no longer need to function as vulnerable data vaults. This alternative exists today and is already being used in production: Yivi.

What went wrong at Odido

Between February 7 and 8, 2026, hackers from ShinyHunters — known for previous attacks on Ticketmaster and Microsoft — used a classic but effective social engineering attack. They sent phishing emails to customer service employees, stole passwords, and then called these employees while impersonating Odido IT staff. By tricking these employees into approving a secondary login request, the hackers gained access to Odido’s Salesforce system.

For 48 hours, they were able to scrape the database undetected. The result is devastating:

  • More than 5 million unique identification documents: driver’s licenses, passports, residence permits
  • Complete personal data: names, addresses, dates of birth
  • Financial information: bank account numbers
  • Sensitive notes: internal notes about customers, including information about stalking, domestic violence, and protected addresses of victims

When Odido refused to pay the ransom of €500,000 — a decision made on the advice of police and cybersecurity specialists — ShinyHunters published the complete dataset online on March 1, 2026.

The fundamental problem: sensitive identity data in customer databases

Let’s be clear: it’s perfectly logical and necessary for a telecom company like Odido to maintain a customer database. They need to know who their customers are, what subscriptions they have, how to contact them, and how billing works. That’s just good business.

The problem lies in what is stored in that database. Odido didn’t just store operational customer data, but also:

  • Copies of passports and driver’s licenses
  • Social security numbers (BSN)
  • Full dates of birth
  • Copies of residence permits

This is data that was needed for verification — to check that someone is who they claim to be — but serves no operational purpose afterward. Yet it remains in the database for years, like a ticking time bomb.

At Odido, the weakest link wasn’t the technical security of the Salesforce system itself, but the human factor: customer service employees who were deceived through social engineering. This isn’t a failure of individuals — it’s a design flaw of the system. As long as access to a CRM system also means access to millions of identity documents, the risk remains catastrophic.

The core question is: why did Odido need to store all that identity data in the first place? The answer: they didn’t.

A different approach: delegated identity verification with Yivi

Yivi offers a smarter architecture for identity verification. The idea isn’t that companies shouldn’t have customer data — but that identity verification is delegated to a decentralized system, so sensitive identity data never ends up in corporate databases.

The principle: verify without copying

Imagine that when signing up for a subscription, Odido doesn’t ask for a copy of your passport, but instead:

  1. You open the Yivi app on your phone
  2. Odido requests verification: “Is this person who they claim to be?”
  3. Yivi confirms this with cryptographic proof, based on your municipal registry data or passport credentials — providing the same level of assurance as checking a physical passport
  4. Odido stores: “Customer Dibran Mulder, verified via Yivi with passport credentials on March 4, 2026”

That’s it. No passport copy. No passport number. No social security number. Odido has verified the customer’s identity with the same certainty as if they had physically checked a passport — but without storing any of the sensitive data that makes identity fraud possible.

What Odido still stores

In this model, Odido maintains a normal customer database:

  • Name and contact details (email, phone number)
  • Address for delivery/service provision
  • Subscription details and billing history
  • Service history and notes
  • Verification status: “Verified via Yivi (passport) on [date]”

What Odido doesn’t store

  • Copies of identity documents
  • Passport or driver’s license numbers
  • Social security numbers (BSN)
  • Full dates of birth

Selective disclosure: share only what’s needed

The beauty of Yivi is that you don’t have to share your complete identity document. You can share specific attributes:

  • “Identity verified” instead of a full passport copy
  • “Resident of the Netherlands” instead of your complete address
  • “Holder of a valid Dutch passport” instead of a copy with all details

For a telecom company that needs to verify someone’s identity, this is sufficient. They get the same assurance that someone is who they claim to be — without needing to store passport numbers or BSN that could be stolen in a breach.

Privacy for the user, no tracking

An added benefit: Yivi is designed so that no one can track your verifications. Even the issuer of your credentials (e.g., the municipality for registry data) cannot see where and when you use them. There’s no central party that registers all your verifications.

What does this mean for data breaches?

This is the crucial point: if a company like Odido doesn’t store copies of identity documents, BSN numbers, or passport numbers, these can’t be stolen. The impact of any breach is significantly reduced.

In the Yivi model, a data breach at Odido would look like this:

  • Hackers gain access to the CRM system
  • They find: customer names, contact details, contract information, payment history
  • They also find: “Customer X verified via Yivi with passport credentials on [date]”
  • They do not find: copies of passports, passport numbers, social security numbers

The difference is enormous. Contact details and contract information are annoying when leaked, but they don’t lead to identity fraud. You don’t need to request a new passport. Your social security number isn’t circulating on the dark web.

Why aren’t companies doing this already?

If delegated identity verification makes so much sense, why don’t companies do it? There are some practical reasons:

“That’s how we’ve always done it”

Companies are used to collecting copies of identity documents. It feels like a solid check: you see the document, you keep it for any future audits. But that copy often serves no real purpose after the initial verification. It’s security theater that provides a false sense of security — while creating an enormous liability.

The technology exists but isn’t mainstream yet

Yivi exists and works — municipalities like Nijmegen are already using it — but it’s not yet the standard. Most identity verification processes are built around document copies. Switching requires adjustments to existing systems.

The good news: this isn’t a complete system replacement. Companies can keep their existing CRM and customer management systems. They only need to change the verification process: instead of uploading a document copy, perform a Yivi verification.

Regulation is forcing change

The tide is turning. GDPR already requires data minimization — you may only collect data that is strictly necessary. The upcoming eIDAS 2.0 framework makes EU Digital Identity Wallets mandatory. And after the Odido disaster, pressure for stricter rules around storing identity data will only increase.

Companies that switch now are ahead of regulation instead of lagging behind.

What can organizations do now?

The beauty is that this doesn’t require a revolutionary system change. Companies can keep their customer databases — they just need to adjust the verification process.

1. Inventory what you really store

Ask yourself: what identity data do we store, and why?

  • Do we need copies of identity documents after the initial verification?
  • Why are we storing passport numbers or social security numbers?
  • What would happen if all this data leaked tomorrow?

Often it turns out that identity data is stored “just in case” — without a concrete purpose.

2. Separate verification from storage

The core solution: verify via Yivi, store only the verification result.

Instead of:

  • “Passport copy stored” → “Verified via Yivi (passport credentials) on 4-3-2026”

Your customer management system stays the same. You just add a Yivi integration to your onboarding flow.

3. Start with a pilot

You don’t have to change everything at once. Start with one use case:

  • New customer registration
  • Identity verification for contract changes
  • Address verification when moving

Give customers the choice: traditional verification or via Yivi. Measure the results and expand.

What can you do as a consumer?

Next time you’re asked to upload a copy of your passport, ask the question: “Why? Can you also verify me via Yivi?”

The more people ask for this, the faster companies will switch.

Download the Yivi app and experiment with it. The more people use Yivi, the more attractive it becomes for companies to support it.

Conclusion

The Odido data breach wasn’t inevitable fate. It was the consequence of a specific choice: doing identity verification by copying and permanently storing documents, instead of verifying and storing only the result.

With Yivi, organizations like Odido can verify someone’s identity with full assurance — proving they are who they claim to be — without persisting BSN numbers or passport numbers. The customer database would still contain names, addresses, contracts, and contact details. What wouldn’t have been in there: 5 million copies of identity documents and the sensitive identification numbers that enable identity fraud.

The lesson is simple: verify, but don’t store.

Companies that embrace this principle protect not only their customers, but also themselves. No identity data in your database means no identity data that can leak.

The technology exists. The only question is: who dares to go first?

More information

Sources about the Odido data breach: