Last weekend was an unpleasant one for Odido and at least 6.2 million Dutch residents who are or were customers of Odido and BEN. The largest digital theft of personal data of its kind in the Netherlands was confirmed. Not only current customers, but also some former customers have now become more vulnerable to identity fraud. Various types of data, from first and last names to IBAN bank account numbers and even scans of identity documents, were likely stolen.
How did the intruders gain access?
From our information security perspective, it is important to understand how this could have happened. As we explained earlier, attackers are increasingly shifting their focus toward people. Years ago, technical IT systems were attacked more frequently, but today organizations with stronger technical defenses are more often confronted with attacks targeting their employees.
In this incident, it appears that the attackers were able to log in to customer service employee accounts. The passwords of these employees were obtained through phishing. We discussed a similar case last year.
Phishing involves sending convincing emails that, for example, claim a password is about to expire and must be renewed immediately. These emails are often highly convincing. After clicking a link, the employee is taken to a fake website where they are prompted to enter their current password. The new password does not matter to the attacker, because the old password alone grants access to Odido’s systems.
Logging into the systems, in this case the platform provided by Salesforce, was protected with two-step verification. To bypass this, the attackers called the employees whose passwords they had already stolen. During the call, they impersonated staff from Odido’s IT department and asked the employee to approve a login attempt under the pretext of performing a test.
How could so much data be stolen?
Once logged in, the attackers were able to exfiltrate the data of millions of customers. It is known that they used not just one but multiple employee accounts. This makes it easier to extract large amounts of data with a lower chance of detection.
Using multiple accounts reduces the likelihood that unusual data transfers are immediately noticed by security teams. However, it also increases the chance that one of the involved employees might raise the alarm. That did not happen, which suggests that both the phishing emails and the phone calls were highly professional and well prepared.
Although Salesforce is widely used as a cloud service, monitoring large data flows in cloud environments can be more challenging than monitoring systems fully managed within an organization. This is especially true when multiple accounts export smaller batches of data over several days.
What will be done with the stolen data?
This is not yet clear. Odido has not communicated whether there has been any contact with the attackers or whether any ransom has been demanded. Another potential motive is the sale of stolen personal data on digital black markets. With such data, criminals can target victims more convincingly and attempt further fraud.
Another possibility is identity fraud, for example when applying for loans, opening accounts, or ordering products with deferred payment. There is also a chance that this was a targeted attack, where the bulk of the data was less relevant, but specific individuals or roles within organizations were the true targets, such as executives, civil servants, or politicians.
Who has Odido brought in to help?
The name of the external information security firm supporting Odido with the investigation has not been disclosed.
When an organization experiences a cyber incident, external support is often brought in for forensic investigation, containment, and recovery. However, affected companies rarely disclose which specialist is assisting them. There are several reasons for this.
First, sharing this information can interfere with the ongoing investigation by giving attackers insight into the involved parties, the analytical methods used, or specific approaches. Public disclosure can also put additional pressure on the external firm or lead to unwarranted speculation about the progress of the investigation.
Finally, naming the partner may have legal or contractual implications, for example when confidentiality agreements are in place or when it is not yet fully clear which data has been affected. For these reasons, organizations often choose to share more details only after the investigation is completed, or sometimes not at all.
The current status
The exact amount of stolen data has not yet been made public and may not yet be fully known to Odido or the professionals supporting them. Odido has stated that at least 6.2 million customer records are involved. The type and quantity of data differ per customer. The system also contained data from BEN, but according to Odido, no data from Simpel was stolen. Both brands operate under Odido.
The identity of the group responsible for the intrusion has also not been disclosed so far.
The intrusion was reportedly detected during the weekend of 7 and 8 February 2026. According to news agency Reuters reported on 9 February that Odido’s planned IPO may be postponed, although this does not necessarily have a direct connection to the incident.
Odido states that it will continue to provide updates about the incident through this page.