Odido Breach Exposes 6.2 Million Customers — A Wake-Up Call for Telecoms

In February 2026, Dutch telecom giant Odido suffered one of the most significant data breaches in European history — exposing 6.2 million customer records, roughly one-third of the entire population of the Netherlands.

How it happened

The threat actor group ShinyHunters gained access through a combination of phishing emails and IT staff impersonation, successfully bypassing multi-factor authentication. Once inside, attackers moved laterally into Odido's Salesforce CRM system — the central repository for customer data.

What was exposed

The breach compromised an alarming breadth of personal data:

• Full names, phone numbers, postal addresses, and email addresses
• Dates of birth and bank account numbers (IBAN)
• Passport and driver's license numbers

The ransom refusal — and its consequences

On February 26, Odido refused to pay a "low seven-figure" ransom demand. Within days, the full dataset was published to the dark web on March 1, 2026 — making the data freely accessible to criminal networks.

What this means for businesses

This breach is a textbook example of how social engineering and MFA bypass can bring down even enterprise-grade defenses. The attack vector wasn't a zero-day exploit — it was human error, manipulated by a sophisticated threat actor.

Key takeaways for organizations: - MFA alone is not enough. Phishing-resistant MFA (hardware keys, passkeys) should replace SMS/app-based MFA for privileged accounts. - CRM systems are high-value targets. Platforms like Salesforce holding bulk customer data require strict access controls and anomaly detection. - Incident response speed matters. The 13-day window between breach and disclosure allowed attackers to stage and prepare the full data dump.

The Odido breach is a warning to every organization — telecom, finance, healthcare, or otherwise — that holds personal data at scale.