Cyber Incident Victim: Samsung Germany
Date:
Nov 2025
Location:
Germany
Summary
Criminals accessed the support database of Samsung and copied about 270,000 customer records, which were later offered for sale on a darknet forum by a user known as GHNA. The leaked data includes names, addresses, email addresses, order details and internal correspondence from customer satisfaction tickets. Investigation by a security firm traced the breach to stolen login credentials of an employee at Spectos GmbH, the partner that operates the ticket‑processing system, obtained via an Infostealer malware. The company confirmed that an unauthorized intrusion occurred at a business partner’s IT system and said it is examining the scope of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 1 2025 heise online reported that approximately 270 000 customer data records from Samsung Deutschland had appeared on the darknet. The data were being offered for sale by a user operating under the handle “GHNA” in a known underground forum, with a price of eight credits, equivalent to about two euros. According to the forum posting the stolen records consisted of customer satisfaction tickets and included full names, postal addresses, e‑mail addresses, order details and internal communications. The archive was said to contain mainly interactions from the ongoing year 2025. Hudson Rock, an IT‑security firm specializing in data‑leak analysis, identified the source of the breach as a set of administrative credentials that had been stolen from an employee of Spectos GmbH. Spectos operates the customer‑experience platform that underlies Samsung’s service‑ticket system, accessible via the URL http://samsung-shop.spectos.com. The credentials had been exfiltrated in 2021 by the Raccoon Infostealer and had remained unchanged for roughly four years before being reused to gain unauthorized access. Hudson Rock noted that the compromised credentials were present in its own data‑leak database, which facilitated the tracing of the attack. The firm concluded that the attackers copied the data from the support database and subsequently uploaded it to the darknet marketplace.
The potential misuse of the exposed information was outlined in the report, noting that cybercriminals could launch convincing phishing campaigns, submit false warranty claims, or commit other offenses that rely on identity theft. Individuals who had recently interacted with Samsung’s support were advised to be particularly vigilant. Samsung did not immediately respond to heise online’s request for confirmation of the leak and the authenticity of the data. Later in the evening Samsung issued a brief statement acknowledging that an IT system belonging to one of its German business partners had experienced unauthorized access to customer data. The company emphasized that it takes the security of customer data very seriously and that it was currently investigating the scope of the incident. No further technical details, containment measures, or timelines for remediation were disclosed in the available source material. The report concluded by noting that the incident was disclosed alongside unrelated data leaks affecting certain Apple‑iOS dating apps, but those events were not connected to the Samsung breach.