A major data breach is making headlines, and the most surprising part? It wasn’t caused by some newly discovered zero-day exploit or sophisticated ransomware campaign. It all started with an infostealer malware back in 2021.
Recently, more than 270,000 customer records from a leading global tech company (we’ll refer to them as “S”) were recently leaked publicly online. A hacker using the alias GHNA published the data, which includes sensitive customer support interactions from S’s operations in Germany.
This, as a result, raises serious questions about the company’s credential hygiene and long-term cybersecurity accountability. The breach is now under investigation, but the timeline of events tells a deeper story about missed signals, weak credential management, and the long consequences of outdated security practices.
Starting with a Forgotten Infostealer Attack
Let’s rewind to 2021, when the actual origin point of this breach happened.
A type of malware calledRaccoon Infostealer had silently infected the computer of an employee working for a third-party IT service provider linked to “S.” This malware specializes in quietly stealing login credentials, browsing data, and other sensitive information from infected machines, often without the user ever realizing it.
For context: Malware (short for malicious software) refers to any program designed to damage, disrupt, or gain unauthorized access to a system. Infostealers like Raccoon are a specific type of malware focused on data theft, especially login details.
According to Forbes, the stolen credentials were tied to S’s customer support ticketing system in Germany and were never rotated or updated. For years, those login details sat exposed and unchanged, quietly waiting for someone to take advantage.
That someone was GHNA, a hacker who came across the credentials in 2025 and used them to gain access to the system, leaking over 270,000 customer support records online.
What makes this incident even more concerning is that the credentials weren’t just floating around in the dark web without detection. Cybersecurity firm Hudson Rock had already flagged those exact credentials years ago in their threat intelligence system, which tracks infections from over 30 million compromised devices worldwide.
“270,000 customer tickets have hit the open internet… courtesy of a simple login that never got rotated,” — Alon Gal, CTO of Hudson Rock (via Forbes)
In other words, the red flags were there, the breach didn’t go unnoticed. But it went unaddressed. It wasn’t a lack of detection that led to this. It was a lack of action.
A Preventable Breach With a Familiar Pattern
While the attack may have taken place in 2025, the vulnerability began years earlier.
“Infostealers don’t need to break in. They wait for someone to leave the door open,” — Hudson Rock via eSecurity Planet
The case is a textbook example of what happens when compromised credentials aren’t taken seriously. This wasn’t a zero-day exploit or an elite-level APT (Advanced Persistent Threat). It was an overlooked login from a third-party partner. It’s a powerful reminder that cybersecurity isn’t just about high-end tools but rather about the fundamentals.
Those fundamentals include:
Credential hygiene: Regularly rotating and revoking unused credentials, especially those tied to vendors or third-party tools
Timely response to threat intelligence: Acting on alerts or reports from security partners instead of letting them sit unresolved
Vendor risk management: Keeping track of who has access to what, and ensuring all partners meet minimum security standards
Routine access audits: Periodically reviewing who can access critical systems and why
Security awareness across teams: Making sure even non-security employees understand the risk of credential theft and phishing
When these core practices are skipped or delayed, even the best tools won’t be enough to prevent a breach.
What Was Leaked?
According to reports from CSO Online and eSecurity Planet, the leaked dataset contained a surprisingly detailed look into customer behavior and interaction history, which is far beyond what most people assume when they hear the words “data breach.”
Here’s what was reportedly exposed:
Full names: Allowing easy identification and pairing with other public data
Email addresses: Opening the door to phishing campaigns and social engineering attacks
Physical addresses: A serious concern, especially when combined with product and tracking info
Order and product model numbers: Including exact details about what customers bought, when, and where
Payment methods: While credit card numbers weren't included, the type of payment and purchase history still give threat actors valuable context
Tracking links for deliveries: Enabling interception of physical goods (a tactic known as porch piracy)
Support tickets and customer service interactions: Can include personal complaints, return issues, or even login details mentioned in messages
These data points, when combined, offer a comprehensive profile of each individual: what they bought, where they live, how they interact with support, and even when their packages are arriving.
For attackers, this kind of information is a goldmine. For affected customers, it’s a deeply invasive breach of privacy, digitally and personally.
The Risks: How Can Cyber Criminals Exploit This?
As aforementioned, the leaked data opens the door for several malicious activities:
Phishing scams: Tailored messages that appear legitimate, referencing real orders and support issues
Fake warranty claims: Using leaked order details to request product replacements.
Account takeovers: Impersonating users to gain access to other systems or platforms.
Delivery interception: Using tracking links to steal valuable packages before they reach the customer’s door.
And nowadays, it doesn’t take much for this data to be fed into AI-driven attack systems that will make exploitation even faster, cheaper, and more scalable.
Key Takeaways
This incident offers an important reminder to all companies:
Credential rotation is not optional, especially for systems tied to vendors or support services.
Threat intelligence only works when acted upon. Flagging is the first step, not the last.
Third-party access must be audited regularly. Outsourced systems are often the weakest links.
For individuals, it’s a timely moment to review digital hygiene:
Be cautious with emails referencing your orders or support interactions.
This breach is a reminder that cyber threats don’t always arrive with loud alarms. Sometimes, it’s the small things left unchecked (like outdated credentials, unmonitored third-party access, or missed threat alerts) that lead to a huge amount of damage.
In this case, the breach wasn’t due to a lack of detection. It was a failure to act on early warning signs. And unfortunately, it’s not an isolated case. Many organizations (even the most technologically advanced) are still vulnerable because basic security practices aren’t consistently enforced across teams and vendors.
This is where proactive cybersecurity makes a difference.
At Cisometric, we help organizations strengthen their defenses with more than just tools. Our approach includes:
Real-time threat intelligence, so you’re alerted to exposed credentials and vulnerabilities before they’re exploited.
Vendor and third-party access monitoring, to keep track of who has access to your systems.
Credential hygiene and detection services, ensuring compromised logins don’t sit idle.
And a next-generation Security Operations Center (SOC) that continuously hunts for, investigates, and neutralizes threats.
If your organization is ready to strengthen its security posture, we’re here to help.
Schedule a meeting with our team to learn how Cisometric’s SOC and other solutions can protect your business, today and tomorrow.
Top Cyber Attacks in 2024 and How To Prevent Them in 2025
Cybersecurity incidents often bring to mind images of hackers exploiting complex technical technological vulnerabilities. But in reality, many successful cyber attacks don’t happen because of weak systems, they happen because of human errors.
Cybersecurity incidents often bring to mind images of hackers exploiting complex technical technological vulnerabilities. But in reality, many successful cyber attacks don’t happen because of weak systems, they happen because of human errors.
Cyber Deception: Outsmarting Hackers with Their Own Tricks
Imagine setting up a fake vault filled with dummies of valuables. A thief sneaks in, thinking they’ve hit the jackpot, but in reality, they’re in a monitored trap. This is the digital equivalent of Cyber Deception Technology.
Silent calls are often the first step in a scam that can lead to phishing, identity theft, or even AI voice cloning. If you’ve been getting more of these lately, be careful. Scammers are using this tactic to confirm active phone numbers and gather data.
Welcome to cisometric.com! In order to provide a more relevant experience for you, we use cookies to enable some website functionality. Cookies help us see which articles most interest you; allow you to easily share articles on social media; permit us to deliver content, jobs and ads tailored to your interests and locations; and provide many other site benefits. For more information, please review our
Privacy Notice.