Dutch Police Link Local Hackers to Major Odido Data Breach, ShinyHunters Still Suspect
The **Dutch National Police (Politie)** has announced strong indications that Dutch hackers were involved in the February data breach at telecommunications giant **Odido**. This development suggests a local element in an attack previously claimed by the notorious **ShinyHunters** extortion gang, which exposed the personal data of 6.2 million customers.
The **Dutch National Police (Politie)** has revealed significant leads suggesting the involvement of Dutch hackers in the February data breach that impacted **Odido**, one of the Netherlands' largest telecommunications providers.
### The Phishing Pretext
According to a police press release, a key piece of evidence is a telephone conversation preceding the hack. A Dutch-speaking individual, impersonating an **Odido** IT employee, misled the company through a phishing scheme, which ultimately led to the data theft.
Stan Duijf, head of operations at the National Investigation and Interventions Unit, emphasized the complexity of such cybercrime investigations but noted that even sophisticated attackers leave traces. "Traces have been secured at several times during the investigation into the hack at **Odido**, which the research team continued to work on," Duijf stated.

### Odido's Initial Disclosure
**Odido** disclosed the breach on February 12, confirming that attackers accessed its customer contact system on February 7. The incident resulted in the download of personal data belonging to 6.2 million customers. The company had previously informed local media that the threat actors claimed to have stolen millions of user records.
### Exposed Customer Data
The compromised information varied per customer but could include full names, addresses, mobile numbers, customer numbers, email addresses, **IBAN** (bank account numbers), dates of birth, and certain identification details like passport or driver's license numbers and their validity.
Crucially, **Odido** clarified that sensitive data such as call details, location data, billing information, scans of identity documents, or **Mijn Odido** passwords were not exposed during the attack.
### The Shadow of ShinyHunters
While the **Politie** focuses on local involvement, the **ShinyHunters** extortion gang had already claimed responsibility for the breach on their dark web leak site. They released an 88GB archive purportedly containing over 15 million records, including data that **Odido** had confirmed as exposed.

**ShinyHunters** is notorious for widespread vishing campaigns, often targeting **Okta**, **Microsoft**, and **Google** single sign-on (**SSO**) accounts. Their modus operandi involves impersonating IT support staff to trick employees into divulging credentials and multi-factor authentication (**MFA**) codes on phishing sites. Once corporate **SSO** accounts are breached, they proceed to exfiltrate data from connected **SaaS** applications, including **Microsoft 365**, **Google Workspace**, **Salesforce**, **SAP**, **Slack**, **Zendesk**, **Dropbox**, **Adobe**, and **Atlassian**.
### A History of High-Profile Breaches
The cybercrime group has been linked to numerous high-profile breaches affecting organizations such as **Google**, **Cisco**, **PornHub**, **Match Group**, the **European Commission**, **Rockstar Games**, and the edtech giant **McGraw-Hill**.
More recently, **ShinyHunters** was implicated in security breaches at over a dozen **Snowflake** customers and various other third-party integration providers. They are also connected to a new series of attacks impacting over 100 organizations, including the **University of Nottingham**, following data-theft attacks exploiting an **Oracle PeopleSoft** zero-day flaw.