6.2 Million People Affected in Odido Breach
In February 2026, Dutch telecom provider Odido confirmed that cybercriminals accessed and stole personal data linked to approximately 6.2 million individuals.
Overview
Odido is one of the largest telecommunications providers in the Netherlands, offering mobile and related services to millions of customers.
In early February 2026, the company discovered that unauthorized individuals had gained access to systems used to manage customer information. After investigating, Odido confirmed that personal data from millions of current and former customers had been exposed.
The company reported the incident to the Dutch Data Protection Authority under GDPR requirements and began notifying affected customers.
How it happened
This breach did not rely on a complex technical exploit. Instead, it appears to have involved social engineering, meaning criminals tricked people rather than breaking technology.
Reports indicate attackers first obtained employee login details through phishing, using emails designed to look legitimate. They then reportedly contacted employees while pretending to be internal IT support, persuading staff to approve access requests.
With that access in place, the attackers reached a customer management environment and extracted large volumes of data. The key takeaway is simple: even when security tools exist, human trust can be exploited.
If you receive messages claiming to be from a telecom provider about “compensation” or “urgent verification” after a breach, treat them as suspicious by default.
Risks
Odido indicated that passwords were not exposed, but the stolen data can still create serious risk because it includes identity and contact details that enable convincing fraud.
The main risks include identity theft, where criminals attempt to open accounts or request services using stolen details. Another common outcome is highly targeted phishing, where messages reference real personal information to look authentic.
When banking details and identity information appear in the same dataset, criminals can also attempt financial scams by impersonating trusted institutions and pushing victims into “urgent” actions.
Recommendations
For individuals, the best protection is awareness and caution. Monitor bank accounts for unusual activity and be careful with unexpected calls, emails, or SMS messages asking for verification codes or urgent steps.
Never share one-time security codes with anyone over the phone, even if they claim to be from your telecom provider or bank. If you are unsure, hang up and contact the company through its official website or app.
Use strong authentication on your accounts where possible. If you can choose between SMS codes and an authenticator app, the app is generally safer.
For organizations, this breach is a reminder that employee training, strict access controls, and monitoring for unusual data exports are essential, especially for customer databases and CRM systems.
Breaches like this are not just IT problems. They are trust problems, and rebuilding trust takes far longer than breaking into a system.