Cyber Incident Victim: Odido
Date:
Feb 2026
Location:
Netherlands
Summary
Odido disclosed a breach that exposed personal data of about 6.2 million customers, including those of its MVNO Ben NL. The compromised information comprised names, addresses, phone numbers, bank account numbers, email addresses, dates of birth, customer numbers, and passport or driver’s license details, while passwords, call records, and billing data remained untouched. Investigators determined that attackers gained entry through social engineering, using phishing emails to obtain customer service representatives’ credentials and then posing as the IT department by phone to approve fraudulent logins. The operator stated the unauthorized access was swiftly terminated, additional security measures were implemented, and the incident was reported to the Dutch Data Protection Authority, with no impact on services and no evidence the data has been published online.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 7‑8 2026, unauthorized access occurred to Odido’s customer contact system, as disclosed by the company in a notice dated February 13 2026. The breach was identified earlier in the month and Odido notified customers that their personal data may have been leaked. An Odido spokesperson stated that the incident took place earlier in February and that data from approximately 6.2 million customers was compromised. Both direct Odido customers and those of its mobile virtual network operator Ben NL were affected. The company reported the breach to the Dutch Data Protection Authority and said an investigation was ongoing.
The data accessed during the attack included names, addresses, phone numbers, email addresses, dates of birth, customer numbers, bank account numbers, and passport or driver’s license numbers and their validity dates. Odido emphasized that no passwords, call records, billing data, or invoice data were accessed. The company confirmed that its services were not impacted by the intrusion. Notification to affected users was carried out directly via email or phone, and Odido advised recipients to remain alert to suspicious or unusual activities such as phishing attempts. Odido also stated that it was not aware of the stolen information being published online but continued to monitor the web in collaboration with cybersecurity experts.
According to reporting from Dutch public broadcaster NOS, the hackers gained entry by first attempting to log into the accounts of customer service representatives who had fallen for phishing emails. The attackers then contacted these employees by phone, posing as Odido’s IT department, and manipulated them into approving a fraudulent login attempt. The targeted staff may have been external call centre workers based outside the Netherlands. In response, Odido said it immediately closed the attackers’ access to its systems, brought in cybersecurity experts to implement additional security measures, and ended the unauthorised access as quickly as possible. The company noted that it had not shared details on the threat actor behind the attack and that no known extortion group had claimed responsibility for the incident.