Odido Data Breach – February 2026

Dutch Telco company Odido experienced a data breach resulting in exfiltration of data of 6.2 million customers. The breach was confirmed by the CEO in February 2026. Odido has reported the breach to the Dutch Data Protection Authority (AP).

About the Data Breach at Odido Netherlands

• Odido data breach was first detected on 7 February 2026. Between 7 and 8 Feb, the company found suspicious activity in the CRM system.
• The company, within the next 48 hours, acted to remove access of threat actors from the CRM.
• During the attack, the attackers exfiltrated data of 6.2 million Odido customers.
• The company has confirmed that customer passwords are safe, no passwords from ‘My Odido’ or other login systems have been leaked.
• The company went public with the disclosure of data breach on 12 February 2026.
• Not all customers have been affected by the data breach. The data breach notification is being sent to affected customers through an email. Customers for whom the company does not have an email address will receive an SMS.

How did the attack take place?

It is too early to confirm the source of the attack. But, preliminary findings do suggest that the threat actors or hackers used combination of phishing and identity theft for credentials theft.

Using stolen credentials of Odido employees, the hackers were able to access the Salesforce system and exfiltrate customer data.

It is unlikely that any security vulnerability was used to access and breach the Salesforce deployment of Odido.

What data was stolen?

The stolen data includes customer names, phone numbers, postal and email addresses, dates of birth, bank account numbers (IBAN), and details of customers’ government-issued IDs, such as passport or driver’s license numbers and dates of validity.

The company said former customers who had service within the past two years may also be affected.

Odido’s business customers are not impacted in this data breach.

No threat actor has taken ownership of the cyber attack and no ransomware demands have been made yet. It is, however, expected that the breached data may be dumped online by the threat actor.