Odido Data Breach: ShinyHunters Gang Claims Millions Affected
▼ Summary
– The ShinyHunters extortion gang claimed responsibility for breaching Dutch telecom provider Odido, stating they stole nearly 21 million user records.
– Odido disclosed the February breach, confirming attackers accessed personal data like names, addresses, and ID numbers for approximately 6.2 million customers.
– The company stated that sensitive data such as passwords, call details, billing information, and identity document scans were not exposed, contradicting the hackers’ claims.
– Following the breach, Odido reported it to authorities, blocked the attackers’ access, and hired external cybersecurity experts for the investigation.
– ShinyHunters has been linked to a recent wave of breaches, often using vishing attacks to compromise employee credentials and access corporate systems.
A major data breach at Dutch telecommunications provider Odido has potentially exposed the personal information of millions of customers, with the notorious ShinyHunters extortion gang claiming responsibility for the attack. The company, which provides mobile, broadband, and television services across the Netherlands, disclosed the incident in mid-February, stating that attackers had infiltrated its customer contact system. While Odido confirmed the theft of personal data, it emphasized that sensitive information such as account passwords, call records, location data, billing details, and identity document scans were not compromised in the intrusion.
The data accessed by the attackers varies from customer to customer but may include a combination of highly sensitive details. The exposed information can include full names, home addresses, mobile numbers, customer IDs, email addresses, bank account numbers (IBAN), dates of birth, and even passport or driver’s license numbers. Odido initially informed local media that approximately 6.2 million customers were impacted and that the threat actors had contacted the company to boast about stealing millions of user records. In response to the breach, the telecom firm reported the incident to Dutch data protection authorities, blocked the attackers’ access, and engaged external cybersecurity experts to manage the response.
Although Odido has not officially named the perpetrators, the ShinyHunters gang has listed the company on its dark web leak site. The cybercriminals contradict the company’s statements, alleging they stole nearly 21 million records, including internal corporate data and plaintext passwords. An Odido spokesperson has firmly denied these additional claims, reiterating that no passwords or financial data were involved. On their leak site, ShinyHunters issued a threatening message to Odido, urging the company to return to negotiations or face a full data leak alongside disruptive digital attacks.
This incident is part of a broader campaign by the ShinyHunters group, which has recently claimed attacks on a wide array of high-profile organizations. Their list of alleged victims includes Panera Bread, Betterment, SoundCloud, Canada Goose, PornHub, and the online dating conglomerate Match Group. The gang’s methodology often involves sophisticated voice phishing, or vishing, schemes. In these attacks, they impersonate IT support staff to trick employees into surrendering their login credentials and multi-factor authentication codes on fake corporate login pages.
A particularly concerning evolution in their tactics is the adoption of device code vishing, which abuses the OAuth 2.0 device authorization process to steal Microsoft Entra authentication tokens. Once they successfully hijack a single sign-on account, the attackers gain a foothold to breach a vast ecosystem of connected enterprise services. This can include platforms like Salesforce, Microsoft 365, Google Workspace, and many other critical business applications, leading to widespread data theft and extortion demands.
(Source: Bleeping Computer)
