Dutch authorities have identified what they describe as "strong indications" that Dutch-speaking hackers carried out a February breach at Odido, one of the Netherlands' largest telecommunications providers, the Dutch National Police said Thursday.
The breach, first disclosed by Odido on February 12, began when attackers accessed the company's customer contact system on February 7 and exfiltrated the personal data of millions of users. The company confirmed the incident affected 6.2 million customers.
Police said the attack followed a social engineering sequence in which a Dutch-speaking man called Odido's customer service line and impersonated an internal IT employee. The company was subsequently misled through phishing, which enabled the data theft to proceed.
"This type of investigation is often complex and takes time, but cybercriminals are also vulnerable and leave traces," said Stan Duijf, the head of operations at the National Investigation and Interventions Unit. "Traces have been secured at several times during the investigation into the hack at Odido, which the research team continued to work on."
The exposed data varies per customer but may include a combination of full name, home address, mobile number, customer number, email address, IBAN bank account number, date of birth, and identification details such as passport or driver's license number and validity period.
Odido specified that no call records, location data, billing data, identity document scans, or Mijn Odido account passwords were compromised during the incident.
Separately, the extortion gang known as ShinyHunters claimed responsibility for the breach on its dark web leak site, releasing an 88-gigabyte archive that it said contained over 15 million records — a figure that exceeds the customer count Odido has publicly acknowledged. Odido has not formally attributed the incident.
ShinyHunters has been connected to a pattern of vishing campaigns targeting organizations that use Okta, Microsoft, and Google single sign-on accounts, typically by impersonating IT support staff to harvest credentials and multi-factor authentication codes via phishing sites. Once inside corporate SSO accounts, the group has been observed stealing data from connected SaaS platforms including Microsoft 365, Google Workspace, Salesforce, Slack, and Zendesk.
The group has been linked to breaches involving a range of organizations, including Cisco, Match Group, the European Commission, Rockstar Games, and the McGraw-Hill education technology company. It was also implicated in security incidents at more than a dozen Snowflake customers and, more recently, in a series of breaches affecting over 100 organizations — including the University of Nottingham — tied to exploitation of an Oracle PeopleSoft zero-day vulnerability.
The Odido investigation reflects a broader challenge facing law enforcement as it pursues cybercriminal groups operating domestically. The use of native-language social engineering — in this case Dutch — complicates the assumption that such attacks originate entirely from foreign actors, reinforcing the difficulty authorities face in attribution even when the perpetrators are geographically nearby.
Dutch police have not announced any arrests in connection with the Odido breach, and the investigation remains ongoing.