Dutch telecom giant Odido confirms data breach affecting 6.2 million customers, while ShinyHunters extortion group claims to have stolen 21 million records including plaintext passwords and corporate data.
The ShinyHunters extortion gang has claimed responsibility for breaching Dutch telecommunications provider Odido, asserting they've stolen nearly 21 million user records from the company's compromised systems. This comes after Odido disclosed a data breach on February 12 that exposed personal information of millions of its customers nationwide.
The Breach Timeline
Odido discovered the breach on February 7 when attackers gained access to its customer contact system. The company revealed that threat actors downloaded personal data of many users, though they emphasized that no Mijn Odido passwords, call details, location data, billing information, or identity document scans were exposed.
According to Odido, the exposed information varies by customer and may include full name, address and city of residence, mobile number, customer number, email address, IBAN (bank account number), date of birth, and some identification details such as passport or driver's license numbers and their validity periods.
Scale of the Incident
The breach has affected approximately 6.2 million Odido customers, according to the company's statements to local media. However, ShinyHunters claims to have stolen nearly 21 million records, suggesting the scope may be larger than initially reported.
When contacted about the attribution and potential ransom demands, an Odido spokesperson declined to provide details "due to the ongoing investigations." The company has taken several steps in response, including reporting the breach to the Dutch Data Protection Authority, blocking the attackers' access, and hiring external cybersecurity experts for incident response.
ShinyHunters' Claims
The extortion group has added Odido to its dark web leak site, where they claim the stolen data includes internal corporate information and plaintext passwords. This directly contradicts Odido's statements that no passwords were involved in the breach.
"This is a final warning to come back to our chat and finish what we set out to do before we leak along with several annoying (digital) problems that'll come your way," the group stated on their leak site. "Make the right decision, don't be the next headline. You know where to find us."
ShinyHunters' Recent Activity
This breach is part of a wave of attacks claimed by ShinyHunters in recent weeks. The group has taken responsibility for security incidents at major companies including Panera Bread, Betterment, SoundCloud, Canada Goose, PornHub, and Match Group (which owns Tinder, Hinge, Meetic, Match.com, and OkCupid).
The Vishing Connection
Many of ShinyHunters' recent victims appear to have been compromised through sophisticated voice phishing (vishing) attacks. The group has been targeting single sign-on (SSO) accounts at major providers like Google, Microsoft, and Okta.
These attacks involve calling employees while impersonating IT support staff, tricking them into entering credentials and multi-factor authentication (MFA) codes on phishing sites that mimic their companies' login portals. The group has also adopted device code vishing, abusing the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.
Once they steal credentials and authentication codes, the threat actors hijack SSO accounts to breach connected enterprise services including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others.
Impact on Odido Customers
For the 6.2 million affected customers, the breach exposes a significant amount of personal information that could be used for identity theft, phishing attacks, or other fraudulent activities. The inclusion of bank account numbers (IBAN) and identification document details makes this particularly concerning.
Odido customers should be vigilant for suspicious communications and consider taking additional security measures, such as monitoring their financial accounts and being cautious about unsolicited calls or messages claiming to be from Odido or other service providers.
The incident highlights the ongoing threat posed by sophisticated extortion groups like ShinyHunters and the importance of robust security measures, including employee training to recognize vishing attempts and strong authentication protocols to protect customer data.
Comments
Please log in or register to join the discussion