Dutch Telecom Odido Hit with Ransom Demand Following ShinyHunters Breach

Dutch telecom company Odido just witnessed a cyberattack, and the popular hacking group, ShinyHunters, is behind the incident.

The threat actors are demanding a huge ransom from Odido, threatening to dump data from millions of customers if they don’t get the money by Thursday.

They claim they’ve already shown they can get into Odido’s systems and are now turning the screws with the deadline.

Millions of Customer Records At Risk

ShinyHunters claims the data haul is larger than Odido has publicly stated. The telecom firm initially reported that 6.2 million current and former clients were affected. However, the hackers say they have information on 8 million people, including customers from Odido’s sub-brand, Ben.

The stolen data includes names, addresses, phone numbers, and email addresses. More dangerously, the cache also contains bank account details and passport numbers. This goes beyond the contact info often lost in breaches and enters the realm of serious financial risk. RTL Nieuws reported that the hackers provided evidence to back up their claims, confirming the scale of the intrusion.

Hacker Gives Odido a Deadline for Ransom

The group sent a chilling message to Odido, which was shared by Dutch broadcaster RTL. “This is the final warning to come back to our chat and finish what we set out to do before we leak,” the message read. “You know where to find us.”

They are demanding that Odido pay at least €1 million on or before Thursday, else they’ll dump everything online. The company is currently at a crossroads, and even if they pay, no one is sure the group won’t leak the stolen data.

The Odido hack followed a similar, low-tech path. Sources told Dutch broadcaster NOS that the attackers gained access through customer service worker accounts. They reportedly obtained the necessary passwords using classic phishing techniques, proving that sometimes the oldest tricks in the book are still the most effective.

While ShinyHunters exploits human error for data theft, Dutch authorities are simultaneously fighting cybercrime at the infrastructure level. Recently, Dutch police shut down a criminal host used for dark web activities, demonstrating that the fight against online crime involves both pursuing attackers and dismantling the platforms that enable them.

With the Thursday deadline at hand, Odido now faces a nightmare scenario. They have to carefully weigh their options. Paying off extortionists means parting with a huge sum of many. Not paying means customers’ most sensitive details will likely start floating around dangerous corners of the dark web. Odido advised its customers to stay vigilant in case of any suspicious activity on their accounts.

Who are ShinyHunters?

Shinyhunters first made their mark with claims of stealing hundreds of millions of records from 13 different companies in 2020. And now they’ve become one of the most active groups involved in extorting money digitally, with hundreds of victims globally.

The group’s early days were busy. In May 2020 alone, they claimed credit for stealing 90 million customer records from Indonesian ecommerce giant Tokopedia. Around the same time, they claimed the theft of over 10 million user accounts from the Indian education platform Unacademy.

That same month, they made headlines by claiming they’d stolen hundreds of gigabytes of Microsoft source code from private GitHub accounts. The group kept up the pace, targeting Minted, the Star Tribune newspaper, Chatbooks, Home Chef, and the dating site Zoosk, among others.

The Shinyhunters group operates with a straightforward playbook. According to reports from security researchers, the hackers usually start by first using Microsoft Office 365 to identify companies. They then look for GitHub repositories containing OAuth tokens. Once they find those, they target research and development employees within those organizations. Those credentials become the key to launching more targeted attacks.

In July 2021, they hit financial service provider Dave Inc. by breaching Waydev, a GIT analytics platform. Researchers later found stolen data from over a dozen other sites linked to the same hacking forums, including Bonobos.com, Wappalyzer.com, and MeetMindful.com.

Shinyhunters Recent Campaigns and New Tricks

Recently, ShinyHunters have leveled up their game. Reports show they were behind the break-in on customer cloud environments hosted on the cloud data warehousing platform Snowflake.

Then last August, they targeted major Salesforce customers by impersonating IT support staff in phone calls and convinced employees to visit Salesforce’s connected app setup page. There, victims entered a “connection code” that connected a malicious version of Salesforce’s Data Loader OAuth app to their environment. Companies like Qantas, LVMH, Allianz Life, and Adidas found themselves in the crosshairs.

Google’s Threat Intelligence team recently tracked Shinyhunters under multiple threat clusters. They wrote about the group’s expansion into sophisticated voice phishing, or vishing. They now set up victim-branded credential harvesting sites using domain formats like companyname-sso.com. During calls pretending to be IT staff, they direct employees to these sites to steal single sign-on credentials and MFA codes.

Once inside, they hunt for sensitive data. They search cloud applications for documents containing words like “confidential,” “proposal,” “Salesforce,” and “VPN.” They’ve also targeted personally identifiable information stored in Salesforce and may have gone after Slack data in some cases.

What makes them particularly dangerous? They don’t bother breaking into software through security loopholes. They instead use social engineering tricks to go after employees, who are often the weakest links in companies’ security systems.