HaveIBeenPawned said:
In an interview with Dutch quality newspaper (link behind paywall) the hackers explained that the hack was easy because "ODIDO did not apply the principle of least privilege"
Odido hackers interviewed via Telegram by Dutch quality newspaper NRC
- Thread starter LinuxFan58
- Start date
In an interview with Dutch quality newspaper (link behind paywall) the hackers explained that the hack was easy because "ODIDO did not apply the principle of least privilege"
That claim is plausible in a general security sense, but it should still be treated cautiously because it comes from the attackers themselves.
What “least privilege” means
The principle of least privilege means users, systems, applications, and service accounts should only have the minimum access needed to do their job.
In practice, that usually means:
- Staff accounts should not have access to large amounts of customer data unless required
- Administrative rights should be tightly limited
- Internal systems should be segmented so one compromised account cannot reach everything
- Access should be time-limited, role-based, and regularly reviewed
- Sensitive data such as identity documents should have stronger access controls than routine account data
Why attackers mention it
If a breach becomes much worse after one account or one entry point is compromised, weak privilege separation is often part of the problem.
For example, if an attacker gets into:
- a support account and can immediately view full identity records
- an internal application that exposes more data than that role should need
- a service account with broad database permissions
then poor access control or excessive permissions may indeed have contributed.
Important limitation
It is not possible to confirm the exact cause safely just from the attackers’ statement or a news interview.
Attackers may:
- tell the truth
- oversimplify what happened
- exaggerate their skill
- shape the story for publicity or leverage
So the statement should be seen as an allegation unless Odido, regulators, forensic investigators, or credible technical reporting confirms it.
What it likely implies if accurate
If the claim is accurate, it would usually suggest one or more of these issues:
- over-permissioned employee or contractor accounts
- weak role-based access control
- poor segregation between customer support systems and highly sensitive identity data
- insufficient network or application segmentation
- service accounts with unnecessary database access
- inadequate monitoring of unusual bulk access
Bottom line
“Yes, that could absolutely make a breach easier and more damaging,” but “the hackers said so” is not enough on its own to treat it as established fact. The safer conclusion is that least-privilege failures are a credible explanation, not yet a confirmed one unless supported by official investigation findings.
It was salesforce which was hacked at ODIDO.
I used salesforce a lot (as a sales director). Problem with Salesforce is that the consultants are very expensive (HubSpot and Pipedrive are much easier to use). Salesforce consultants often implement an industry standaard baseline (they have industry specific templates) with some company customization. Next the salesmanagers and system admins/application managers are giving a "train the trainer" course. This is practical, because you give the sales manager the highest (power) user role, so he/she can configure Salesforce further for his/her sales people with the assistance of the internal system admins and application managers.
I once did an interim job at the largest telecom provider of the Netherlands, where they started to use Salesforce. The company's own salesdirector who I replaced (who was seriously ill, but recovered) had applied functional permission separation based on role and job title (vertical separation), but had not partitioned data access within functions of the same role within a department. Meaning Salesforce was vertically contained (on role/job title) but not horizontally (data access limited by separating it in compartments).
It was a helpdesk employee which userID and password was used, so fair chance helpdesk employees had access to a subset of datafields, but could probably see that subset (data view) of all ODIDO customers (including subsidiaries).
The SPAM I received lately (I use a subsidiary of ODIDO is also secundary proof the the hacker's claim is partly true (no horizontal least privilege policy) I agree with @Bot that vertical least privilege policy was applied at ODIDO (otherwise the hackers could have done much more than just extracting data of all customers),
I used salesforce a lot (as a sales director). Problem with Salesforce is that the consultants are very expensive (HubSpot and Pipedrive are much easier to use). Salesforce consultants often implement an industry standaard baseline (they have industry specific templates) with some company customization. Next the salesmanagers and system admins/application managers are giving a "train the trainer" course. This is practical, because you give the sales manager the highest (power) user role, so he/she can configure Salesforce further for his/her sales people with the assistance of the internal system admins and application managers.
I once did an interim job at the largest telecom provider of the Netherlands, where they started to use Salesforce. The company's own salesdirector who I replaced (who was seriously ill, but recovered) had applied functional permission separation based on role and job title (vertical separation), but had not partitioned data access within functions of the same role within a department. Meaning Salesforce was vertically contained (on role/job title) but not horizontally (data access limited by separating it in compartments).
It was a helpdesk employee which userID and password was used, so fair chance helpdesk employees had access to a subset of datafields, but could probably see that subset (data view) of all ODIDO customers (including subsidiaries).
The SPAM I received lately (I use a subsidiary of ODIDO is also secundary proof the the hacker's claim is partly true (no horizontal least privilege policy) I agree with @Bot that vertical least privilege policy was applied at ODIDO (otherwise the hackers could have done much more than just extracting data of all customers),
Last edited:
You may also like...
-
-
Telus Digital confirms breach after hacker claims 1 petabyte data theft
- Started by KnownStormChaser
- Replies: 0
-
PayPal becomes victim to data breach leaking users Social Security Numbers- Started by Brownie2019
- Replies: 1
-
Scholastic, Education Giant And ‘Harry Potter’ Publisher, Breached By ‘Furry’ Hacker- Started by Gandalf_The_Grey
- Replies: 0
-
Telegram Shared Data on 2,253 Users with U.S. Authorities in 2024- Started by enaph
- Replies: 3