Dutch telecommunications provider Odido (formerly T-Mobile Netherlands) has confirmed a massive cyberattack resulting in the exposure of personal information belonging to approximately 6 million customers.
Scope of the Breach
The stolen dataset, which has already surfaced on dark web forums for sale by a known criminal syndicate, is highly sensitive. The leaked information reportedly includes:
- Full names and physical addresses
- Phone numbers and primary email addresses
- Date of birth
- Bank account details (IBANs)
- Partial passport and government ID numbers
The Attack Vector
While the exact initial access vector remains under forensic investigation, early threat intelligence suggests the attackers exploited a vulnerability in a legacy, third-party customer relationship management (CRM) API that lacked sufficient rate-limiting and access controls.
"This is a severe incident that dramatically increases the risk of targeted spear-phishing, SIM swapping, and identity theft for millions of Dutch citizens." — European CERT Analyst
Worried about your data?
Customers are advised to monitor their bank transactions and be highly vigilant against unsolicited texts or calls claiming to be from Odido support.