ShinyHunters Extortion Gang Claims Odigo Breach Affecting Millions of Users

Post Views: 8

Ovido Data Breach Exposes Millions of Customer Records

A recent data breach at Dutch telecommunications provider Ovido has exposed the personal information of millions of customers, with the ShinyHunters extortion gang claiming responsibility for the attack. Ovido, one of the largest telecom companies in the Netherlands, offers mobile, broadband, and television services to millions of customers nationwide.

Breach Details

According to Ovido, the breach, which was disclosed on February 12, resulted in the exposure of varying combinations of customer data, including full names, addresses, mobile numbers, customer numbers, IBAN bank account numbers, dates of birth, and identification details such as passport or driver’s license numbers and validity. The company reported that 6.2 million customers were affected by the breach and that the attackers had contacted them to claim they had stolen millions of user records.

Response to the Incident

In response to the incident, Ovido has reported the breach to the Dutch Data Protection Authority, blocked the attackers’ access to its systems, and hired external cybersecurity experts to assist with incident response and mitigation. However, the company has not disclosed whether the attackers demanded a ransom or which threat group was behind the attack.

ShinyHunters warned Ovido to “come back to our chat and finish what we set out to do before we leak along with several annoying (digital) problems that’ll come your way.”

ShinyHunters’ Claims

The ShinyHunters extortion gang has since added Ovido to its dark web leak site, claiming to have stolen nearly 21 million records containing customer data. The gang also claims that the stolen data includes internal corporate data and plaintext passwords.

An Ovido spokesperson denied the claims, stating that “no passwords, call details, social security numbers, or billing data are involved.”

ShinyHunters’ Tactics

ShinyHunters has been known to use voice phishing attacks targeting single sign-on accounts at Google, Microsoft, and Okta, where the threat actors impersonate IT support staff and trick employees into entering credentials and multi-factor authentication codes on phishing sites that mimic their companies’ login portals.

Device code vishing, abusing the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.
Hijacking victims’ SSO accounts to breach connected enterprise services like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others.