The Dutch National Police (Politie) has announced it found “strong indications” that Dutch hackers were involved in the February breach at telecommunications provider Odido, one of the largest telecom operators in the Netherlands.
According to a police press release, investigators identified a phone call made to Odido customer service shortly before the hack. In the call, a Dutch-speaking man posed as an Odido IT employee. The company was then misled through phishing, which led directly to the data theft.
Stan Duijf, head of operations at the National Investigation and Interventions Unit, said this type of investigation is often complex and slow, but that cybercriminals leave traces. He noted that evidence has been secured at multiple points during the ongoing probe.
Breach Details
Odido disclosed the breach on February 12, stating that attackers accessed its customer contact system on February 7 and downloaded personal data belonging to a large number of users. The company later told local media that 6.2 million customers were affected, and that the attackers contacted Odido claiming to have stolen millions of records.
Exposed data varied by customer but could include full name, address, city of residence, mobile number, customer number, email address, IBAN, date of birth, and identification details such as passport or driver’s license numbers. Odido said call details, location data, billing data, ID document scans, and Mijn Odido passwords were not exposed.
ShinyHunters Claim
While Odido has not formally attributed the attack, the ShinyHunters extortion group claimed responsibility on its dark web leak site, publishing an 88GB archive containing more than 15 million records, some of which matched data Odido had already disclosed as compromised.
ShinyHunters has been linked to a wide range of vishing campaigns targeting Okta, Microsoft, and Google single sign-on accounts, impersonating IT support staff to trick employees into entering credentials and MFA codes on phishing pages. Once inside corporate SSO environments, the group has been known to pivot into connected SaaS platforms such as Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Zendesk, Dropbox, Adobe, and Atlassian.
The group has previously been tied to breaches at Google, Cisco, PornHub, Match Group, the European Commission, Rockstar Games, McGraw-Hill, over a dozen Snowflake customers, and more than 100 organizations affected by attacks exploiting an Oracle PeopleSoft zero-day flaw, including the University of Nottingham.
