Skip to main content
Emerging ThreatsMalware & Ransomware

Dutch Police Expose Suspects in Odido Hacking Case

Dutch National Police officer stands in formal briefing room with agency emblem and cityscape in background.

"This includes a telephone conversation that was made with Odido customer service shortly before the hack. In this conversation, a Dutch-speaking man posed as Odido's IT employee. The company was then misled through phishing, after which the data theft took place," the Dutch National Police said in a Thursday press release.

Police: telephone impersonation and phishing at the center of the investigation

The Dutch National Police (Politie) reported "strong indications" that Dutch hackers were involved in the February breach at telecommunications provider Odido. Authorities say the probe recovered a telephone call placed to Odido customer service in which a Dutch-speaking individual posed as an internal IT employee. According to the police, that call preceded a successful phishing operation that led to data theft.

Stan Duijf, head of operations at the National Investigation and Interventions Unit, emphasized the investigatory work: "This type of investigation is often complex and takes time, but cybercriminals are also vulnerable and leave traces. Traces have been secured at several times during the investigation into the hack at Odido, which the research team continued to work on." The police characterization stresses both the operational complexity and the presence of forensic leads gathered during the inquiry.

What Odido disclosed about the breach and customer impact

Odido, described by the police as one of the largest Dutch telecommunications companies offering mobile, broadband, and television services to millions of customers across the Netherlands, disclosed the incident to the public on February 12. The company said attackers accessed its customer contact system on February 7 and downloaded the personal data of many users.

Odido told local media the breach affected 6.2 million customers. The firm said exposed information varies by customer and "may include a combination of full name, address and city of residence, mobile number, customer number, email address, IBAN (bank account number), date of birth, and some identification details (passport or driver's license number and validity)." Odido also stated that certain categories of data were not exposed during the incident: "no call details, location, data, billing data, scans of identity documents, or Mijn Odido passwords were exposed."

ShinyHunters claimed responsibility and released a large archive

While Odido has not made a public technical attribution, the extortion group ShinyHunters claimed responsibility on its dark web leak site. The gang posted an 88GB archive it said contained over 15 million records, including data Odido had already acknowledged as exposed.

ShinyHunters has a reported operational profile in the public record: the group has conducted vishing campaigns targeting Okta, Microsoft, and Google single sign-on (SSO) accounts, "impersonating IT support staff to trick targets' employees into entering credentials and multi-factor authentication (MFA) codes on phishing sites." After compromising corporate SSO accounts, the group is reported to seek data from connected SaaS applications.

Scope and scale: record sets, linked breaches, and targeted services

The group claimed, and public summaries of prior incidents indicate, that after gaining access to SSO accounts ShinyHunters exfiltrates data from SaaS providers and connected services. The source lists a range of targeted platforms: Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Zendesk, Dropbox, Adobe, Atlassian, and others.

Previous reporting linked ShinyHunters to breaches at organizations including Google, Cisco, PornHub, Match Group, the European Commission, Rockstar Games, and McGraw-Hill. The group was also tied to incidents at more than a dozen Snowflake customers, various third-party integration providers, and a recent series of breaches that affected over 100 organizations — including the University of Nottingham — following data-theft attacks that exploited an Oracle PeopleSoft zero-day vulnerability. In the Odido matter, the party claiming the leak presented an 88GB package reportedly containing more than 15 million records, a volume larger than the 6.2 million customers Odido reported as affected.

What this means for technologists, regulators, and Odido customers

  • Technologists and security teams: the facts in this case center on social-engineering (a telephone impersonation) combined with phishing that led to data theft and on the group's pattern of moving from SSO compromise to SaaS exfiltration. Teams will likely treat SSO and support-channel authentication as focal points in post-incident reviews and monitoring.
  • Regulators and procurement leaders: a large telco disclosure (6.2 million customers reported by Odido) paired with a separate 15-million-record archive claimed by the extortionist underscores the reporting and notification questions that follow mass exposures; regulators will be watching companies' public disclosures and how those align with the scope of material released by threat actors.
  • Odido customers and the general public: Odido made specific statements about the types of data that may have been exposed and explicitly listed categories not exposed, including call details, location data, billing data, scans of identity documents, and Mijn Odido passwords. Individuals impacted will face decisions about monitoring financial accounts and communications channels for fraud, and they may seek clarification from Odido as the investigation proceeds.

The Dutch police have secured traces at multiple points in the inquiry, and their statement frames the matter as an ongoing, forensic-led investigation. Odido has acknowledged the breach's timing and customer impact, while a cybercriminal group has posted a large data archive and asserted responsibility. How those investigative leads will translate into formal attribution, remediation, or legal outcomes remains the next milestone the parties on the record say they are still working toward.

Original story