The Call That Started It All
Here's the thing about modern breaches: they rarely start with a zero-day exploit or a sophisticated phishing email. Sometimes, it starts with a phone call.
The Dutch National Police (Politie) dropped a press release on Thursday that should make every security team in the Netherlands sit up straighter. After weeks of investigation into Odido's February breach, they've found what they're calling "strong indications" that Dutch-speaking hackers were behind the attack. And there's a recorded telephone conversation to prove it — one where a Dutch-speaking man impersonated Odido's own IT employee, called customer service, and set off a chain of events that ultimately exposed 6.2 million customers' personal data.
The police didn't just find a suspect. They found traces at several points during the investigation, according to Stan Duijf, head of operations at the National Investigation and Interventions Unit. "This type of investigation is often complex and takes time, but cybercriminals are also vulnerable and leave traces," Duijf said. Translation: these guys aren't ghosts. They make mistakes. They leave phone records.
But the bigger story here isn't just that Dutch police cracked a case. It's what this breach reveals about the evolving playbook of one of the most dangerous extortion groups operating today — ShinyHunters.
How the Attack Unfolded
Odido disclosed the breach on February 12, confirming that attackers had accessed its customer contact system as early as February 7. The company told local media the resulting data breach affected 6.2 million customers, and that threat actors had reached out claiming they'd stolen millions of user records.
The initial vector was social engineering — specifically, a phone call where someone posing as an internal IT employee misled customer service staff through phishing. Once inside, the attackers downloaded personal data from Odido's systems.
Let me be clear about what was exposed, because the details matter more than most people realize. According to Odido's disclosure, the compromised information varies per customer but can include a combination of full name, address and city of residence, mobile number, customer number, email address, IBAN (bank account number), date of birth, and identification details like passport or driver's license numbers and validity periods.
On the flip side, Odido confirmed that no call details, location data, billing data, scans of identity documents, or Mijn Odido passwords were exposed. That's a meaningful distinction — someone could try to impersonate you at the bank, but they can't reset your Odido account without that password.
The breach is significant not just for its scale but because it hit one of the Netherlands' largest telecommunications providers. Odido offers mobile, broadband, and television services to millions of customers across the country. When a telco gets hit this hard, the ripple effects touch everything from identity theft to targeted fraud campaigns.
ShinyHunters' Signature Playbook
Odido hasn't officially attributed the incident, but ShinyHunters — the extortion gang that's been terrorizing enterprises for years — claimed responsibility on its dark web leak site. They released an 88GB archive containing over 15 million records, including data the company had already disclosed as exposed in the attack.
ShinyHunters is not your average cybercriminal outfit. They operate under the corporate persona ShinyCorp, coordinate through Telegram, and follow a ruthless "pay or leak" extortion model. Their track record reads like a who's-who of high-profile breaches: Google, Louis Vuitton, AT&T, Cisco, PornHub, Match Group, the European Commission, Rockstar Games, McGraw-Hill, and over a dozen Snowflake customers.
But what makes this Odido case particularly interesting is how it fits ShinyHunters' established modus operandi. The group has been behind widespread vishing campaigns targeting Okta, Microsoft, and Google single sign-on (SSO) accounts. They impersonate IT support staff to trick employees into entering credentials and MFA codes on phishing sites.
After breaching corporate SSO accounts, they move laterally into connected SaaS applications — Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Zendesk, Dropbox, Adobe, Atlassian, and others. The Odido breach appears to follow a similar pattern: social engineering at the perimeter, then data extraction from internal systems.
The group's use of AI-powered vishing is what elevates this from a standard social engineering attack to something far more dangerous. AI voice synthesis has gotten so good that even security-aware employees can struggle to distinguish a synthetic voice from a real one on the phone. That's not theoretical — it's happening right now, and ShinyHunters has been refining this technique for years.
What This Means for Security Teams
The Odido breach should serve as a wake-up call, and not just in the Netherlands. Here's why this case matters for security and compliance professionals everywhere:
The phone is still a valid attack vector. We've spent years telling employees not to click suspicious links, but the human voice remains one of the most trusted communication channels. When someone calls you and sounds like IT, the default response is compliance — not suspicion. Organizations need to implement verification protocols for any request that involves sensitive data or system access, regardless of the channel.
AI-powered social engineering is here. This isn't science fiction. ShinyHunters has been using AI voice phishing to impersonate IT staff, and the technology keeps getting better. Training programs that focus solely on email phishing are leaving a massive gap. Security awareness needs to expand to include voice-based attacks, and organizations should establish callback verification procedures for any unusual requests.
SSO is both a solution and a vulnerability. Single sign-on reduces password fatigue and improves security posture — but when attackers compromise SSO credentials through vishing, they gain access to everything connected. The Odido breach shows that even without hitting an SSO system directly, the initial foothold through social engineering can lead to significant data loss.
Local hackers with global tactics. The fact that Dutch police found strong indications of Dutch-speaking hackers involved in this breach is notable. It suggests a localization trend — threat actors adapting global extortion gang playbooks to local markets, using language and cultural familiarity as an advantage. This makes detection harder because the attacks feel more "normal" to local employees.
The data exposure is real and actionable. IBAN numbers, dates of birth, passport details — this isn't metadata. This is the kind of information that enables identity theft, financial fraud, and targeted social engineering against victims. Organizations need to treat this level of exposure with the seriousness it deserves, including proper breach notification and victim support.
The Broader Pattern
ShinyHunters' recent activity extends well beyond the Odido case. The group has been linked to a growing number of breaches involving major enterprises, and they've also exploited an Oracle PeopleSoft zero-day flaw to hit over 100 organizations, including the University of Nottingham.
What's striking is the consistency of their approach. Whether they're targeting a telecommunications provider in the Netherlands, an edtech giant in the US, or a gaming company globally, the pattern holds: social engineering at the perimeter, credential theft through vishing or phishing, lateral movement into connected systems, and then extortion.
The Odido breach fits this pattern perfectly. Dutch hackers, using AI-powered vishing techniques that mirror ShinyHunters' known tactics, exploited a telecommunications provider's customer service system to access millions of records.
For security teams, the takeaway is clear: your perimeter defense needs to account for voice-based attacks. Your SSO implementation needs strong monitoring for anomalous access patterns. And your incident response plan should account for the possibility that an attacker has already compromised credentials through social engineering before you even detect the breach.
The Dutch National Police's investigation shows that these attacks leave traces. But by the time investigators are piecing together phone records and digital footprints, the data has already been exfiltrated. Prevention has to happen before the call comes in.