Lessons from the Odido Breach: Strengthening Your Salesforce® Security

The recent cyber-security story of Odido breach has caught the attention of organisations everywhere, including here at Mint®. The Dutch telecommunications provider Odido, formerly part of T-Mobile Netherlands, experienced a significant cyberattack in early February 2026 that exposed the personal information of over six million customers stored in its Salesforce® system.

What makes the Odido breach instructive for Salesforce® users wasn’t a flaw in the platform itself, but rather how attackers gained access. The perpetrators used social engineering techniques – including phishing and impersonation of internal IT support – to trick customer service employees into surrendering sensitive credentials and authorisation codes.

So What Happened?

• Hackers targeted individual employees with phishing attacks to steal login details.
• They then posed as internal IT staff to bypass multi-factor authentication (MFA).
• This allowed them to access the organisation’s Salesforce® instance and scrape customer data.

While the company quickly shut down the unauthorised access and engaged external cybersecurity experts, the exact dwell time – how long attackers may have had access – remains a key risk consideration.

This incident underscores a simple truth: no platform, even one as robust as Salesforce®, is immune to threats that exploit the human element.

Why This Matters to You

For Mint® clients and those using Salesforce® or planning digital transformation projects, this serves as a timely reminder that security isn’t just about technology. It’s about people, permissions and processes.

Below are key areas to review, with practical actions to consider.

Internal Communication & Security Culture

Phishing and social engineering remain among the most effective attack methods. Regular, scenario-based training helps teams recognise suspicious activity before it becomes a breach.

Consider reinforcing clear behavioural guidance:

• Employees should verify unexpected IT requests by calling back using official contact details.
• IT support should never ask for passwords, MFA codes or request installation of apps or plugins.

Clear, repeated messaging turns awareness into action.

User Permissions & Least-Privilege Access

Restricting what users can see and do, especially around sensitive customer records, limits the impact of compromised credentials.

Practical steps include:

• Auditing user roles and permissions regularly
• Ensuring high-risk capabilities (such as app installation) are restricted to administrators
• Reviewing whether each role truly requires its current level of data access

Connected Apps & Installed Tools

Third-party and connected apps are a critical but often overlooked risk area.

• Review all connected apps and remove unused or unknown integrations
• Implement app allow-listing so only approved tools can connect
• Validate whether any unauthorised apps may have been installed during a potential compromise window

This helps prevent both initial compromise and long-term persistence.

IT Security Policies, Monitoring & Access Controls

Regular audits aren’t optional, they’re essential for a resilient security posture.

Strengthen detection and prevention by:

• Monitoring for high-volume queries or unusual data exports
• Alerting on report or CSV downloads at abnormal levels
• Reviewing login attempts from unfamiliar locations
• Considering network controls such as VPN or IP allow-listing for Salesforce® access

These controls provide visibility that can dramatically reduce response time during an incident.

Data Governance & Minimisation

Incidents like this also highlight the importance of understanding what data you hold and why.

Organisations should periodically assess:

• Whether all stored data is necessary for business purposes
• Whether retention policies are defined and enforced
• How sensitive data is segmented and protected

Reducing unnecessary data lowers both risk exposure and regulatory impact.

Bottom Line

The Odido incident isn’t a reason for alarm but it is a clear call to action. It reinforces that security is a shared responsibility: platforms provide strong foundations, but organisations must build a secure structure on top through clear communication, layered controls, and continuous review.

A practical takeaway is to think in terms of defence in depth combining culture, governance, technical safeguards and monitoring to reduce both the likelihood and impact of an attack.

If you’d like support reviewing your Salesforce® security posture, internal user governance, connected app policies or monitoring approach, Mint® is here to help. Let’s talk security.