The hacked credentials of an employee from third-party IT service provider Spectos GmbH sat dormant for four years until a threat actor called “GHNA” accessed them and released 270,000 customer service tickets into the open internet from an unsuspecting Spectos customer: Samsung Germany.
In a March 30 blog post, HudsonRock researchers explained that the case dates back to 2021, when a Racccoon infostealer silenty harvested the login credentials from the Spectos GmbH employee, an application that’s tied to Samsung’s ticketing system at samsung-shop.spectos.com.
“At Hudson Rock, we flagged these compromised credentials years ago in our Cavalier database, which tracks more than 30 million infected machines,” wrote the researchers. “These credentials sat dormant until ‘GHNA’ got their hands on them. Fast forward to 2025, and boom: 270,000 customers tickets hit the open internet, most of them from 2025, courtesy of a simple login that never got rotated.”
This was the second time in the past couple of years that Samsung has been in the news around a significant cybersecurity issue. Back in 2023, Samsung employees accidentally leaked sensitive code via ChatGPT, causing the company to ban the use of GenAI tools altogether to avoid similar breaches.
In this case, the issue of not properly rotating credentials was brought into the open, pointing out to security pros how careful they have to be in a climate where threat actors are continually scanning for stolen credentials.
“The Samsung Germany breach is a textbook example of the long tail of credential-based threats,” said Chad Cragle, chief information security officer at Deepwatch. “In this case, access was reportedly gained using credentials stolen in 2021 via an infostealer. This is proof that old compromises don’t just disappear; they wait.”
Cragle pointed out that stolen credentials often circulate for years, and attackers continuously scan for forgotten or unmonitored access points. Without strong credential hygiene and real-time visibility, organizations—and their vendors—remain vulnerable, said Cragle.
“This is a wake-up call,” said Cragle. “Compromised credentials are a time bomb. Continuous monitoring for leaked credentials, identity threat detection, and tighter third-party access governance are critical to staying ahead of today’s credential-driven threats.”
Heath Renfrow, co-founder and CISO at Fenix24, added that Spectos GmbH may not have had adequate monitoring in place to detect unusual activity related to the stolen credentials. Renfrow said many organizations focus on external threats or suspicious activities, but overlook the internal risk posed by valid but compromised user accounts.
For example, if the compromised account was associated with a routine or administrative task, such as monitoring and service quality improvements, it may not have raised suspicion when accessed, especially if the attacker remained within expected usage patterns.
“In many cases, hackers will ‘bide their time’ before exploiting compromised credentials, especially if they perceive that the environment may be vulnerable at a later date,” said Renfrow. “This could involve waiting for a change in the target organization’s network, acquiring additional access or privileges over time, or simply monitoring the organization to identify the right moment to strike. They may have also been waiting for a larger breach (like Samsung’s) to occur, allowing them to extract more value from the stolen data.”
