6 million customers
Dutch telecommunications provider Odido has suffered a data breach affecting approximately six million customers. The company and Dutch law enforcement have disclosed that the attack was initiated via a social engineering and phishing campaign. Investigators have strong indications that local Dutch nationals were involved, citing a phone call made by a Dutch-speaking individual impersonating an IT employee to gain initial access. The compromised system was a customer contact database. Odido has clarified that highly sensitive data such as passwords, financial details, and location data were not exposed. The Dutch High Tech Crime Team (THTC) is leading the criminal investigation.
The incident highlights the effectiveness of social engineering as an initial access vector, even against large corporations. By impersonating a trusted internal employee, the attackers bypassed technical controls to gain a foothold.
The attack began with a vishing call to Odido's customer service. A Dutch-speaking male posed as an IT staff member, presumably to trick an employee into revealing credentials, approving a fraudulent MFA push, or granting remote access. This social engineering tactic was successful, allowing the attackers to gain unauthorized access to an internal customer contact system.
Once inside, the attackers exfiltrated a dataset containing the personal information of six million customers. Odido has reported that the compromised information did not include:
The specific types of personal data that were exposed have not been fully detailed in the reports, but typically for a customer contact system, this would include names, addresses, phone numbers, and email addresses.
T1598.001 - Phishing for Information: Spearphishing Voice: The initial access was gained via a vishing call, a form of social engineering.T1566 - Phishing: The overall strategy to deceive an employee into granting access.T1078 - Valid Accounts: After the successful phishing attempt, the attackers likely used legitimate credentials to access the customer database.T1003 - OS Credential Dumping: While not confirmed, this is a likely next step after gaining initial access to escalate privileges.T1048 - Exfiltration Over Alternative Protocol: The attackers exfiltrated the customer data from the compromised system.While Odido asserts that the most sensitive data was not stolen, the exposure of personal contact information for six million people is still significant. This data is highly valuable for criminals to conduct large-scale, targeted follow-on attacks.
No specific file hashes, IP addresses, or domains were provided in the source articles.
Detecting social engineering attacks like this is challenging. The focus should be on user behavior and access patterns.
Customer Relationship Management (CRM) system4625The primary defense against social engineering attacks like vishing is a well-trained and skeptical workforce.
Implementing phishing-resistant MFA (like FIDO2) can prevent account takeover even if an employee is tricked into giving up a password.
Apply the principle of least privilege to ensure that a compromised customer service account cannot be used to perform bulk data exports.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.