CyberSecurity

Silent Surveillance: Why 6.2 Million Dutch Residents Need to Re-think Their Messaging Security

Are your messages truly private? With 6.2M Dutch residents at risk, it’s time to look beyond marketing claims. This deep dive explores the hidden vulnerabilities in mainstream messaging apps and why true end-to-end encryption is a necessity, not a luxury, for digital sovereignty.

Silent Surveillance: Why 6.2 Million Dutch Residents Need to Re-think Their Messaging Security

Introduction

If you live in the Netherlands, you’ve probably heard about the Odido data breach by now. On the weekend of February 7–8, 2026, the country’s largest mobile network operator got hit by a cyberattack that may have exposed the personal data of up to 6.2 million customers. That’s bad enough on its own. But pair it with recent academic research showing that WhatsApp and Signal accounts can be silently surveilled using nothing more than a phone number, and things get a lot worse. Here’s what happened, what the research says, and why it matters.

The Odido Breach: What We Know

The largest mobile phone provider in the Netherlands announced a cyberattack in February that led to the theft of information from 6.2 million customer accounts.

CEO Søren Abildgaard confirmed that names, bank account numbers, addresses, mobile numbers, email addresses, account numbers, and IDs (including passports and driver’s license numbers) were stolen.

How did the attackers get in? They phished Odido employees, then called back pretending to be the IT department to bypass multi-factor authentication. Textbook social engineering. From there, they compromised Odido’s Salesforce environment and scraped customer data out of the system automatically.

It’s still unclear whether all customers are affected, and the company won’t say whether it’s being pressured or blackmailed by the hackers.

Experts have called the stolen data “worth gold” for criminals, noting it could enable help desk fraud, bank fraud, and even intelligence mapping of politicians and government employees.

The Messaging App Vulnerability: “Careless Whisper”

Here’s where things get interesting, and deeply troubling for the 6.2 million people whose phone numbers are now floating around in criminal hands.

Researchers from the University of Vienna and SBA Research uncovered a serious privacy weakness in WhatsApp and Signal. Both apps rely on end-to-end encryption to protect message content, but delivery receipts (the small checkmarks confirming a message has arrived) can be abused to monitor users without triggering any notification.

The paper, titled ”Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers,” won the Best Paper Award at RAID 2025.

The attack works like this: both apps send delivery receipts for “silent messages,” like reactions to messages that never existed. These invisible events let an attacker repeatedly ping a user’s device. By measuring how long the delivery receipts take to come back, they can infer a surprising amount of detail.

What kind of detail? Whether the screen is on or off, the number of currently active devices, and their operating system. All without generating any notification on the target’s end.

With high-frequency probing (say, one message every 50ms), researchers were able to map user routines, detect when phones switch networks, and identify when desktop clients come online. The victim never knows.

The kicker: no prior interaction is needed. Both WhatsApp and Signal issue delivery receipts for message reactions even from unknown senders. If someone has your phone number, they can silently monitor you.

Why This Combination Is Dangerous

This is where the Odido breach and the “Careless Whisper” research collide. With 6.2 million phone numbers potentially in criminal hands, each one becomes a key to silent behavioral surveillance. Attackers don’t need to hack your phone. They don’t need malware. They just need your number and a bit of patience.

Researchers disclosed their findings to Meta and the Signal Technology Foundation on September 5, 2024. As of November 2024, over fourteen months later, Meta acknowledged receipt but gave no substantive response. Signal hasn’t responded at all.

As of December 2025, this vulnerability remains exploitable in both WhatsApp and Signal.

What You Should Do

If you’re an Odido customer, here’s what I’d recommend:

  1. Consider replacing compromised identity documents. Passport numbers and driver’s license numbers were among the stolen data. These aren’t like passwords. You can’t just reset them. Look into reissuing these documents where possible.
  2. Change your phone number if feasible. If you’re not locked into your current number for business or personal reasons, switching to a new one immediately removes one vector of the “Careless Whisper” attack. It’s a drastic step, but an effective one.
  3. Enable “Block unknown messages” in WhatsApp’s Settings → Privacy → Advanced. This is the best available mitigation, though WhatsApp doesn’t define what counts as “high volume,” and attackers may still get through with moderate probing.
  4. Use a VPN. Connecting to a VPN server that isn’t near your physical location should mess with the timing of status notifications, adding noise to the data an attacker can extract.
  5. Stay alert for phishing. Because names, addresses, phone numbers, and bank account numbers were stolen, Odido has warned that cybercriminals may impersonate the telco, your bank, or other third parties.

Accountability Matters

Security researcher Sijmen Ruwhof said the breach shows Odido lacked control when the data were stolen. “Six million records leaking is enormous. At the moment the data was stolen, the cybersecurity department should have intervened.”

According to Tim Walree, a university lecturer in private law and technology, a provider can be held liable if someone suffers harm as a result of a data breach, but only if Odido demonstrably violated the law.

This breach was not done for fun. The data has real, long-term consequences for millions of people. Odido should be transparent about what happened, what demands (if any) were made, and what systemic failures allowed social engineering to compromise 6.2 million records from a customer service platform.

As software engineers and privacy advocates, we need to demand better from both telecom providers who guard our most sensitive data and messaging platforms that leave fundamental metadata vulnerabilities unpatched for years.

Sources:

  • The Record (Recorded Future News), Feb 12, 2026: “Dutch mobile phone giant Odido announces data breach”
  • Techzine Global, Feb 13, 2026: “Major hack of Dutch telco Odido was a classic case of social engineering”
  • The Register, Feb 13, 2026: “Dutch telco Odido admits 6.2M customers affected in breach”
  • Infosecurity Magazine, Feb 18, 2026: “Odido Breach Impacts Millions of Dutch Telco Users”
  • NL Times, Feb 14, 2026: “Stolen Odido data worth ‘gold’ for criminals”
  • NL Times, Feb 17, 2026: “Odido keeps customer data much longer than claimed”
  • DutchNews.nl, Feb 12, 2026: “Hackers access Odido customer info, 6.2 million could be hit”
  • Gegenhuber et al., “Careless Whisper: Exploiting Silent Delivery Receipts to Monitor Users on Mobile Instant Messengers,” RAID 2025 (Best Paper Award), arXiv:2411.11194
  • SBA Research / University of Vienna, Nov 19, 2025: Official announcement of messaging research findings.
  • netidee.at (RAID 2025 award page): First-author description of the Careless Whisper research.
  • CyberInsider, Dec 2025: “Tool allows stealthy tracking of Signal and WhatsApp users through delivery receipts”
  • CyberPress, Dec 8, 2025: “Hackers Exploit Delivery Receipts in Messengers to Steal Private User Data”
  • GitHub (gommzystudio/device-activity-tracker): Public proof-of-concept implementing the Careless Whisper research.