Odido Breach: How a Single CRM System Handed 6.2 Million Identity Theft Starter Kits to Unknown Attackers

On the weekend of 7–8 February 2026 Odido, the Netherlands' largest mobile carrier, detected unauthorized access to a customer contact (CRM) system and later disclosed a breach affecting about 6.2 million customer accounts. Exfiltrated fields reportedly include full names, addresses, phone numbers, email addresses, account numbers, dates of birth, IBANs, and passport/driver's license numbers; attackers directly contacted Odido suggesting an extortion motive. The report highlights CRM systems as high-value targets, a failure of detection (the attacker, not internal systems, first alerted the company), substantial fraud and identity-theft risks (precision phishing, SIM-swap, synthetic identities), and significant regulatory exposure under GDPR and NIS2.