Odido Confirms Cyberattack: Personal Data of 6.2 Million Customer Accounts Exposed
5 min. read 
Updated on
Odido says attackers accessed a customer contact system and downloaded personal data for about 6.2 million accounts. The company says core services were not affected and that no passwords, call records, or invoice data were included in the theft.
What happened
On 12 February 2026, Odido confirmed a cyberattack that led to unauthorized access to a customer contacts system. The telecom provider says attackers downloaded data linked to roughly 6.2 million customer accounts and that the breach was detected over the weekend of 7–8 February. Odido says it stopped the unauthorized access quickly and has engaged third-party cybersecurity experts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
“Odido has been subject of a cyber-attack which has impacted customer data. Odido deeply regrets this situation and is committed to limiting the impact of this incident and providing all necessary support for customers.”
What data may have been taken
According to Odido and follow-up reporting, the data set may include a mix of contact and identity data from the customer contacts system. Reported items include:
- Full name
- Postal address and place of residence
- Mobile phone number
- Customer number and email address
- IBAN (bank account) numbers
- Dates of birth
- Passport or driver’s license numbers and document validity dates
Odido emphasizes that passwords, call logs and invoice details were not involved. The exact contents may vary by customer record.
Timeline and immediate actions taken
- Weekend of Feb 7–8: Odido detected suspicious activity in a customer contacts system.
- Feb 12, 2026: Odido published an incident notice and opened a dedicated information page for customers. The company engaged external cybersecurity specialists and reported the breach to the Dutch data protection authority.
- Odido says informing all affected customers by email may take up to 48 hours because of the volume.
Risks for customers
Data taken from customer contact systems is prized by criminals because it enables convincing phishing and social-engineering scams. With name, address, phone, email, birthdate and ID numbers, attackers can craft targeted impersonation attempts or fake invoices that look legitimate.
Tech analysts warn that even if passwords and call logs are safe, leaked identity data can still be abused for:
- Phishing by email, SMS, or voice calls
- Identity fraud and account takeover on other services
- Social engineering to reset accounts or request payments
The NOS tech editor summarized the risk: leaked contact and ID data makes scam messages far more convincing and increases the chance of successful fraud.
How Odido says it will support customers
Odido has published an information page and a dedicated notice for affected users. The company says it will:
- Send direct emails to impacted customers (from an official Odido address) and SMS notifications within 48 hours.
- Offer guidance on staying alert for suspicious messages and calls.
- Work with external cybersecurity experts and report the incident to the Dutch supervisory authority for data protection.
Quick technical table (what we know and what we do not)
| Item | Confirmed / Not confirmed |
|---|---|
| Number of affected accounts | ~6.2 million — Odido spokesperson to NOS. |
| Data source | Customer contact system used by Odido — Odido statement. |
| Passwords leaked? | No: Odido says passwords not involved. |
| Call logs leaked? | No: Odido says call records not involved. |
| Invoice / billing data leaked? | No: Odido statement. |
| Data published online? | Not yet; Odido says data has not been published but cannot exclude future disclosure. |
Recommended steps for customers
- Watch for emails, SMS, or calls that ask for money, credentials, or personal follow-up. Verify independently.
- Do not click links in unsolicited messages. Use the official Odido site or phone lines to confirm communications.
- If you see unfamiliar activity on financial accounts, alert your bank and monitor statements.
- Consider changing passwords on other services that might use the same recovery data, even though Odido says passwords were not leaked.
- If you are a business customer, audit any employee accounts that used Odido contact emails or numbers for service recovery.
- Report suspected fraud to your bank and to the Dutch Authority for Consumers and Markets or local CERT if targeted.
Regulatory context and next steps
Odido has reported the breach to the Dutch data protection authority. The AP (Autoriteit Persoonsgegevens) will monitor whether Odido takes appropriate steps under EU data protection rules. Dutch regulators have previously penalized telecom firms for security lapses, so the supervisory authority will likely review the company’s incident response and notification process.
FAQ
A: No. Odido says operational services remain available. Customers can continue to call, browse, and watch TV.
A: Odido will notify affected customers directly by email and SMS. The company warns this may take up to 48 hours. If you receive an email, check the sender domain and confirm via Odido’s official site if in doubt.
A: Odido says passwords were not leaked. Still, changing passwords on other services where you reuse recovery data is a prudent precaution.
A: The company has not announced compensation. Investigations and regulator engagement are ongoing. Monitor Odido’s information page for updates.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages