The Odido / T-Mobile NL breach is trending right now. Searches for “pwned odido” are up over 1,600% in the Netherlands. If you were an Odido customer, your personal data may be circulating online. This toolkit walks you through exactly what to check, what to do, and in what order.
Enter your email and see every data breach it appears in, including Odido / T-Mobile NL. Also set up email alerts to get notified when your adress appears in any breach.
This is where it gets serious. IntelX indexes leaked databases, dark web dumps, and breach data that HaveIBeenPwned does not show. You can see the actual data that is circulating about you: passwords, addresses, phone numbers. Exporting the leaks is not available for individual users here. What you can see is a detailed view of what had been leaked and when did happened.
Pro tip: If you have a school email address (a student or university address), you can create a free IntelX account and set up to 10 email alerts. Set one up for every email address you use — work, personal, old addresses. You will be automatically notified the moment any of those addresses appear in a new breach.
Search by email, username, or phone number to see what leaked data is indexed about you. Data breaches are accessible for Pro and Enterprise users.
If your password strategy is not already sorted, start today. This breach is your wake-up call.
The real risk after a breach is not just the leaked data itself. It is what attackers do next: they take that password and automatically try it on your bank, your email, your Amazon, your Apple ID. This is called credential stuffing — automated, at scale, within hours of a breach going public. Here are 4 my four pillars of password management.
You cannot memorize 50 unique 16-character passwords. You are not supposed to. Bitwarden is free, open source, and trusted by security professionals. 1Password is the premium alternative. Maybe you already have a password manager included with a service you use like NordVPN or MEGA for example.
Length beats complexity every time. A 16-character password is exponentially harder to crack than an 8-character one, even without special characters. Personally I use between 56 to 64 characters, including numbers, symbols and mixed case. It makes it mathematicly impossible to crack with a brute force attack.
Use this to check your password strength: → 2ip.io/passcheck
Generate strong passwords easily → norton.com/feature/password-generator
One leaked password means attackers will try it on every other account you have under that email address. Every account needs its own unique password. No exceptions.
MFA blocks 99% of automated attacks, even when your password has already been leaked. Use an authenticator app — not SMS if you can avoid it.
Banking and payment services
Your bank accounts, PayPal, Stripe etc. — anything where money moves. Reset your password and enable MFA immediately.
Accounts with your payment details stored
Bol.com, Amazon, Zalando, Netflix, Spotify, Apple ID, Google — any account where your credit card or iDEAL is saved. They have your payment details.
Your email accounts
Your inbox is the master key to everything else. Anyone who has access to your email can use “forgot password” to get into almost every other account you own. Treat this as top priority right after banking.
Every other account — work through your inbox
Open your inbox and search for: “welcome”, “your account”, “confirm your registration”, “you have successfully registered”. This will surface accounts you have forgotten about. Reset everything you find.
You do not have to do this all in one day. But start with banking and payment accounts today. Then install a password manager. From that point on, every time you log into an account, reset the password and let the manager save it. Within a week you will have your most critical accounts covered without it feeling overwhelming.
Most email providers (Gmail, Proton, and others) support plus addressing. This means you+tag@gmail.com delivers to your normal inbox. Use a unique tag for every service you sign up for.
If you start receiving spam at you+odido@gmail.com, you know immediately where it came from — even if the company never publicly admitted a breach. Automated systems rarely strip the plus tag, so in the majority of cases the source is visible right there in the spam or phishing email. If you log in with your Google-account on most platforms, make sure your password is strong, not uncompromised (with alerts) and have MFA enabled.
Examples:
you+odido@gmail.com — used for Odido registration
you+bol@gmail.com — used for Bol.com
you+newsletter@gmail.com — used for newsletters and marketing
you+bank@gmail.com — used for banking (if spam arrives here, that is a serious red flag)
In the case of Odido, you would have been better protected if your leaked email address was plus-addressed — a simple technique that shields your real address and tells you exactly where a breach came from. Especially if your password was weak or reused, the risk of credential stuffing is real.
In the free course OPSEC 101, you can learn all about this. No prior experience needed. Being aware of these risks and knowing how to protect yourself is called Operational Security (OPSEC). It's the foundation of safe and effective OSINT work. In this course, you'll learn practical methods for secure browsing, anonymous research, and protecting yourself while conducting investigations, as well as in your day-to-day life.