The ShinyHunters extortion gang has claimed responsibility for breaching Dutch telecommunications provider Odido and stealing millions of user records from its compromised systems.

Odido is one of the largest telecommunications companies in the Netherlands and offers mobile, broadband, and television services to millions of customers nationwide.

The company disclosed the breach on February 12, revealing that attackers downloaded the personal data of many of its users after gaining access to its customer contact system on February 7. However, Odido added that no Mijn Odido passwords, call details, location, data, billing data, or scans of identity documents were exposed during the incident.

According to the telecom firm, the exposed information varies per customer and may include a combination of full name, address and city of residence, mobile number, customer number, email address, IBAN (bank account number), date of birth, and some identification details (passport or driver's license number and validity).

It also told local media at the time that the data breach affected 6.2 million customers and that the threat actors reached out to say they had stolen millions of user records.

After discovering the incident, Odido has reported the breach to the Dutch Data Protection Authority, blocked the attackers' access to its systems, and hired external cybersecurity experts to assist with incident response and mitigation.

An Odido spokesperson didn't provide further information on the incident when asked about which threat group was behind the attack and whether they demanded a ransom "due to the ongoing investigations."

While Odido has yet to attribute the attack, the ShinyHunters extortion gang has now added the company to its dark web leak site, claiming they've stolen nearly 21 million records containing data the company already revealed as exposed in the breach.

ShinyHunters also told BleepingComputer on Monday that the stolen data also contains internal corporate data and plaintext passwords.

"This is a final warning to come back to our chat and finish what we set out to do before we leak along with several annoying (digital) problems that'll come your way," the extortion gang says on the leak site. "Make the right decision, don't be the next headline. You know where to find us."

However, an Odido spokesperson denied their claims in a statement to BleepingComputer, reiterating that "no passwords, call details, social security numbers, or billing data are involved."

In recent weeks, ShinyHunters has claimed responsibility for a wave of other security breaches, including Panera Bread, Betterment, SoundCloud, Canada Goose, PornHub, and online dating giant Match Group (which owns the Tinder, Hinge, Meetic, Match.com, and OkCupid dating platforms).

Some of their victims had their systems compromised in voice phishing (vishing) attacks targeting single sign-on (SSO) accounts at Google, Microsoft, and Okta, where the threat actors call employees while impersonating IT support staff and trick them into entering credentials and multi-factor authentication (MFA) codes on phishing sites that mimic their companies' login portals.

As BleepingComputer first reported, the ShinyHunters group has also recently adopted device code vishing, abusing the OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.

After stealing their targets' credentials and auth codes, the threat actors hijack the victims' SSO accounts to breach connected enterprise services like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others.