Back to blog
Data breach

The Odido data breach: how hackers stole millions of customer records

In February 2026, Dutch telecom provider Odido suffered a massive data breach affecting up to 8 million customers. We break down how the hackers got in, what was leaked, and how you can protect yourself.

What happened?

In mid-February 2026, Dutch telecom provider Odido (formerly T-Mobile Netherlands) confirmed a large-scale data breach affecting approximately 6.2 million customers — though the attackers themselves claim the number is closer to 8 million. The breach was carried out by ShinyHunters, a well-known cybercriminal group that has previously targeted organizations like TicketMaster and several luxury fashion brands.

How did the hackers get in?

The attack vector was not a sophisticated zero-day exploit or advanced malware. Instead, ShinyHunters relied on a combination of phishing and social engineering — manipulating people rather than breaking through technical defenses.

The attackers set up convincing fake login pages that mimicked Odido's internal systems and targeted customer service employees via phone calls and messages. At least two employees were tricked into entering their credentials on these fraudulent pages. Once the attackers had valid employee credentials, they gained access to Odido's Salesforce environment — the cloud-based CRM platform where customer data was stored and managed.

From there, the attackers were able to exfiltrate massive amounts of customer data. A critical factor was that individual customer service accounts apparently had overly broad access to the database — a violation of the principle of least privilege that should have limited each employee to only the data they needed for their current task.

What data was stolen?

The stolen data reportedly includes: full names and addresses, phone numbers, email addresses, dates of birth, passport and ID numbers, and plaintext passwords. These plaintext passwords appear to be the verbal verification codes that Odido customers use when calling customer service to authorize account changes — stored without proper hashing or encryption.

The ransom demand and data leak

On February 24, 2026, ShinyHunters issued a public ultimatum: Odido had until Thursday morning to pay a seven-figure ransom in Bitcoin, or all stolen customer data would be published and made freely downloadable. Reports indicate that some of the data has already been circulating, with affected customers reporting an increase in targeted spam and phishing attempts.

What is Odido doing?

Odido has notified the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and has informed affected customers. The company has stated it is "tightening its security measures" and offered affected customers free antivirus subscriptions and service vouchers. However, Odido has also controversially stated that customers cannot terminate their contracts early because of the breach — a position that has drawn significant public criticism.

Security experts and the public have been critical of Odido's response, particularly regarding the storage of plaintext passwords, the overly broad data access given to customer service accounts, and the apparent retention of customer data (including passport numbers) beyond what may be legally necessary.

How to protect yourself if you're affected

If you are or were an Odido customer, take these steps immediately:

  • Change your Odido account password immediately, and change the verbal security code used for phone-based customer service.
  • Enable SMS-based multi-factor authentication (MFA) on your Odido account for an extra layer of protection.
  • If you used the same password elsewhere, change it on those services too — never reuse passwords.
  • Be on high alert for phishing emails, calls, and text messages. Criminals now have your personal details and will use them to appear legitimate.
  • Consider requesting a new passport or ID card, since your document numbers may be in criminal hands. This can be used for identity fraud.
  • Monitor your bank accounts and credit reports for unusual activity. Set up transaction alerts with your bank.
  • Be cautious of anyone calling who claims to be from Odido, your bank, or a government agency — verify their identity independently by calling back on the official number.
  • Report any suspicious activity to the police and to the Fraudehelpdesk (fraudehelpdesk.nl).

Lessons for organizations

The Odido breach is a textbook example of how human error, combined with inadequate access controls and data governance, can lead to catastrophic results. Key takeaways for every organization:

  • Implement the principle of least privilege — employees should only have access to the data they need for their specific task.
  • Deploy phishing-resistant MFA such as hardware security keys (FIDO2/WebAuthn) instead of relying solely on passwords and SMS codes.
  • Conduct regular security awareness training with realistic phishing simulations.
  • Never store passwords or security codes in plaintext — always use proper hashing algorithms like bcrypt or Argon2.
  • Implement data access monitoring and anomaly detection to catch unusual bulk data access patterns.
  • Review and enforce data retention policies — don't keep sensitive data longer than legally required.

This breach underscores a critical truth in cybersecurity: the most sophisticated defenses mean nothing if the human element is not addressed. Social engineering remains one of the most effective attack vectors, and organizations must invest in their people as much as their technology.

Want to protect your organization?

Our cybersecurity experts can help you assess and strengthen your security posture before attackers strike.

Get in touch
Back to blog