Telecom Provider Odido Data Breach Affects 6.2 Million Customers
Learn More
Odido, a telecommunications provider in the Netherlands, reports a data breach on February 12, 2026, affecting approximately 6.2 million customer accounts.
The incident was detected during the weekend of February 7, 2026. The attackers reportedly contacted Odido directly to alert the company that they had stolen millions of records. Odido launched an investigation with both internal security teams and external cybersecurity specialists to determine the scope of the incident
The compromised data includes:
- Full names and home addresses
- Mobile phone and customer numbers
- Email addresses
- International Bank Account Numbers (IBAN)
- Dates of birth
- Identification data, including passport or driver's license numbers and validity dates
The number of affected individuals is 6.2 million. The nature of the attack is not disclosed. Odido claims that highly sensitive information, such as account passwords, call logs, location data, and scans of physical identification documents, was not accessed during the incident.
Upon discovering the breach, Odido blocked the attackers and reported the event to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
Impacted customers are being notified via email within a 48-hour window, providing specific details on the categories of their personal information that may have been exposed.
Odido’s claims that the core operational services, including mobile telephony, internet, and television, were fully functional throughout the incident.
Security experts recommend that affected individuals monitor their bank statements for unauthorized transactions and be careful of phishing attempts that may use the stolen contact details.
Update - Apparently, customers who ended their contracts with Odido up to 10 years ago received email about data compromisation, despite a two-year data retention privacy policy after contract end. Legal experts suggest the firm can be held liable if proven they violated data laws.
As of 23rd of February 2026, the cybercriminal group Shinyhunters claimed the breach of Odido and claim to have stolen data of up to 8 million customers. The hackers threaten to leak it on the dark web unless a seven-figure ransom is paid.
As of 27th of February 2026, ShinyHunters is progressively leaking data stolen in the incident after the company refused to pay a ransom exceeding €1 million. The hackers say they will release more Odido data over the next two weeks if the company does not pay. The leaked data includes sensitive internal notes identifying victims of stalking and domestic violence, including protected addresses creating direct physical safety risks for those individuals.
