Date of Incident:
Weekend of February 7, 2024

Overview:

The Odido data breach occurred over the weekend of February 7, 2024, impacting the telecommunications sector. The breach resulted in unauthorized access to the personal data of 6.2 million customers, exposing details such as full names, addresses, mobile numbers, customer numbers, email addresses, IBANs, dates of birth, and ID document numbers. The attack exploited public-facing application vulnerabilities and involved the use of valid accounts, aligning with MITRE ATT&CK techniques T1190 and T1078. Despite extensive personal data exposure, passwords, call logs, and billing information were not affected. The breach was attributed to crafted HTTP requests leading to data extraction, with no malware or persistence found in the system.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Personal data of 6.2 million customers was exposed including full name, address, place of residence, mobile number, customer number, email address, IBAN, date of birth, and identification data (passport or driver’s license number and validity). Passwords, call logs, billing information, call records, location data, invoice details, and scans of identification documents were not affected.

Details:

The Odido data breach on the weekend of February 7, 2024, involved unauthorized access exploiting weaknesses mapped to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1078 (Valid Accounts). The attacker’s PoC involved injection of crafted HTTP requests to gain access to the customer data repository, leading to extraction of personally identifiable information (PII). IOCs include exploited web request patterns, unauthorized IP addresses from Europe (detected via firewall logs), and accessed database query logs showing exports of customer name, address, mobile number, customer number, email, IBAN, date of birth, and sensitive ID document numbers. No evidence of password or call record leakage was found in system logs. Relevant logs show numerous failed login attempts preceding the data exfiltration event, indicating possible brute force or credential stuffing activities. Registry edits or malware artifacts were not detected, suggesting a direct application layer attack without persistent infection vectors.

Remediation:

Odido advised immediate application of security patches for the affected web services and backend database servers, alongside strengthening multi-factor authentication (MFA) and intrusion detection system (IDS) rules to detect anomalous traffic and access patterns. Temporary mitigations include disabling vulnerable customer data API endpoints and conducting forced password resets despite no direct password compromise, to mitigate potential credential reuse risk. Continuous monitoring for unusual network traffic and endpoint integrity checks are recommended.

Takeaway for CISO:

The breach exposed sensitive customer personal data affecting privacy and trust but avoided exposure of more critical data such as passwords or call histories. CISOs must prioritize rigorous application security testing, protection of web-facing infrastructure, and granular access controls combined with proactive monitoring to detect anomalous behavior early and reduce attack surface. Regularly updated incident response plans and communication strategies are critical for managing customer impact and regulatory compliance.