2026-06-04 –, Track 2
When ShinyHunters breached Odido's Salesforce CRM, the headlines focused on the numbers: 6.5 million records, 48 hours undetected, one phishing email. But that framing misses the point entirely. The breach didn't expose personal data it exposed an identity bridge. And in a telecom environment, that bridge leads somewhere far more dangerous than fraud.
This talk goes past the incident report. We examine what a sophisticated attacker can actually do with a full subscriber dataset, MSISDN, IMSI correlations, service profiles, device identifiers once it leaves a CRM and lands in the hands of someone who understands Telecom Core Networks, Signaling, SS7, Diameter, and the soft underbelly of interconnect infrastructure.
Talk Outline
Opening
We start not with a vulnerability, but with a phishing email. This talk is about what happens after that and why the outcome in a telecom environment is categorically different from any other sector.
Context
A brief look at Odido, the breach, and what ShinyHunters actually walked away with. Not just names and numbers a structured subscriber dataset that functions as an identity bridge into downstream systems.
The data problem
We break down what a carrier CRM record actually contains: MSISDN, device identifiers, service profiles, account history. Each field is a capability. Together they form an attack primitive most threat actors outside telecom don't fully appreciate yet.
The attacker's playbook
The core of the talk. Five concrete paths from CRM access to real-world impact: SIM swap operations, SS7 and Diameter abuse using subscriber context, precision social engineering at carrier fidelity, cross-dataset identity correlation, and roaming and interconnect fraud.
The structural gap The BSS is hardened. The CRM sitting in front of it is staffed by people who answer phones. We examine why the business edge is the softest point in the telco stack and why it is being systematically underestimated.
Detection (what should have fired)
A walkthrough of the behavioral signals that were available: new device, abnormal hours, bulk queries, role-inconsistent access patterns. Why they didn't translate into an alert.
Closing
Not a lesson specific to Odido. Every carrier runs a CRM. Every CRM has a helpdesk. This talk ends with what that means for the rest of us.
Ali is a cybersecurity researcher with over a decade of experience in tech fields. He is currently the application and offensive security manager at Canon EMEA. Ali is a regular speaker or trainer at industry conferences and events such as Confidence Conf 2020, Hack In The Box 2023 AMS, DefCon 3x, IEEE AI-ML-Workshop-2021, SSD TyphoonCon 2x, c0c0n, BSides Toronto, Budapest, Calgary, Newcastle, Barcelona, OWASP Ottawa chapter, LeHack2022, NoNameCon, YASCon, COUNTERMEASURE Conference, DragonCon, COSAC 2022, Hacktivity, DefCon Holland, etc.
Moreover, he was a trainer at OWASP Summer of Security 2020 and 2021 July training and a reviewer for Springer Cluster Computing Journal/Elsevier and the 2021 Global AppSec U.S. event. Ali is a Microsoft MVP and has published a book, along with several papers and blog posts.