ctipilot.ch

Odido (Netherlands telecom) ShinyHunters breach

incident · incident:odido-telecom-breach-netherlands-2026

ShinyHunters breach of Dutch telecom operator Odido (and its Ben brand): a vishing call impersonating IT staff convinced a customer-service employee to authenticate into a spoofed corporate portal, harvesting credentials used to bulk-exfiltrate 6.2M+ customer records (intrusion 5 February 2026; Dutch police announced strong indications of Dutch-national involvement via voice analysis, 9 July 2026).

Aliases: Odido hack, Odido/Ben data breach

Coverage timeline
1
first 2026-07-10 → last 2026-07-10
Peak priority
notable
1 notable
Sources cited
4
2 hosts
Sections touched
1
active-threats
Co-occurring entities
1
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

T1566.004Phishing: Spearphishing Voice×1

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

Persistence TA0003

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

Privilege Escalation TA0004

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

Stealth TA0005

T1078Valid Accounts×1

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

T1684.001Social Engineering: Impersonation×1

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

Collection TA0009

T1213Data from Information Repositories×1

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · ATT&CK page ↗

Story timeline

  1. 2026-07-10ShinyHunters' Odido (NL telecom) breach: Dutch police voice analysis points to Dutch-national involvement; same vishing-into-spoofed-portal playbook, now against an EU telco
    active-threatsDutch police tie ShinyHunters' Odido telecom breach to Dutch nationals via voice analysis — the vishing-to-spoofed-portal playbook now hits an EU telco

Where this entity is cited

  • active-threats1

Source distribution

  • nos.nl3 (75%)
  • politie.nl1 (25%)

Related entities

Entries about Odido (Netherlands telecom) ShinyHunters breach (1)

2026-07-10 · view entry permalink →

NOTABLE

ShinyHunters' Odido (NL telecom) breach: Dutch police voice analysis points to Dutch-national involvement; same vishing-into-spoofed-portal playbook, now against an EU telco

Dutch National Police (Team High Tech Crime) announced on 9 July that its investigation into the February 2026 breach of Dutch telecom operator Odido — and its Ben brand — has produced strong indications of Dutch-national involvement, based on forensic voice analysis of a call recorded at the time of the intrusion; police assess the caller as very likely a genuine human speaker (while not fully ruling out synthetic voice) and are publicly appealing for the caller to come forward before the recording is released (Politie, 2026-07-09; NOS, 2026-07-09).

This extends the ShinyHunters vishing-to-spoofed-portal playbook (registry: actor:shinyhunters) already covered in this store to a new victim class — an EU telecommunications operator. The mechanism, confirmed on-record by Odido CEO Tisha van Lammeren, is the same one documented previously: a caller impersonating Odido IT-department staff (T1656) used a voice-phishing pretext (T1566.004) to persuade a customer-service employee to log into a spoofed copy of the corporate work environment, harvesting that employee's real credentials (T1078) for the customer-contact system (NOS, 2026-05-12). Odido blocked the account within an hour of noticing the intrusion (NOS, 2026-05-12), but the operators had already bulk-exported 6.2 million customer records (name, address, contact details, customer number, bank account number, date of birth, and passport/driver's-licence numbers) (NOS, 2026-02-12) — the CEO's Dutch quote via NOS: "De hacker wist deze medewerker over te halen om in te loggen op een valse versie van de werkomgeving. Zo heeft hij de inloggegevens van die persoon gestolen" ("the hacker persuaded this employee to log into a fake version of the work environment, and so stole that person's login credentials") (T1213). The Dutch Data Protection Authority has two open investigations — into the adequacy of Odido's customer-system security and into whether it retained former-customer data longer than permitted.

In het onderzoek heeft de politie sterke aanwijzingen gevonden dat Nederlandse criminelen betrokken zijn bij de Odido-hack.

Politie (Dutch National Police) 2026-07-09

De hacker wist deze medewerker over te halen om in te loggen op een valse versie van de werkomgeving. Zo heeft hij de inloggegevens van die persoon gestolen.

NOS (Dutch public broadcaster) 2026-07-09

Builds on: 2026-06-26/shinyhunters-used-a-single-vishing-call-into-the-company-s-i

incident10 Jul 04:36Zmulti-sourceOpen finding ↗