TLDR: In March 2025, 270,000 Samsung Germany customer records were leaked using credentials stolen in 2021 — credentials a cybersecurity firm had flagged years earlier that Samsung never rotated. In February 2024, the largest healthcare breach in US history happened because one Citrix portal was missing MFA — a policy that UnitedHealth's own security standards required. An automated vulnerability scanner running on either system would have reported no critical findings. Those reports would have been accurate. And completely useless.
The Credential That Sat There for Four Years
On 29 March 2025, a hacker operating under the alias "GHNA" dumped 270,000 Samsung Germany customer records onto the internet — names, addresses, email addresses, transaction details, order histories, support communications.
They didn't break any code. They didn't exploit a zero-day. They used a username and password that had been sitting in criminal databases since 2021, when Raccoon Infostealer malware infected a laptop belonging to an employee at Spectos GmbH — a third-party service quality monitoring firm connected to Samsung's German customer ticketing system.
Hudson Rock, the security firm that analysed the breach, found that initial access was gained via login credentials stolen by an infostealer in 2021. Apparently, the compromised credentials had not been updated for years.
Hudson Rock had flagged these compromised credentials years ago in their Cavalier database, which tracks over 30 million infected machines. Samsung reportedly failed to rotate or secure them, allowing the hacker to access the system years later.
Run an automated vulnerability scanner against Samsung's ticketing system in 2024. It would have tested for open ports, unpatched software, weak cipher suites, missing headers. It would have found nothing critical. Because there was nothing technically broken. The credentials were valid. The system was functioning as designed. The control that was missing — credential rotation — is not something any scanner checks for.
The Portal That Had No MFA
Three months before the Samsung breach, in February 2024, a single stolen credential and a missing checkbox caused the largest healthcare data breach in United States history.
UnitedHealth confirmed that Change Healthcare's network was breached by the BlackCat ransomware gang, who used stolen credentials to log into the company's Citrix remote access service, which did not have multi-factor authentication enabled.
The company's policy was to have MFA turned on for all external-facing systems, but for reasons that remain under investigation, a Change Healthcare Citrix portal used for desktop remote access did not have MFA turned on. "That was the server through which the cybercriminals were able to get into Change," UnitedHealth CEO Andrew Witty said.
The attackers were inside the network for nine days before deploying ransomware. By then, they had exfiltrated 4TB of data. The final count of affected individuals reached 190 million — more than half the US population. The financial cost to UnitedHealth exceeded $2.8 billion by mid-2025.
One Citrix portal. No MFA checkbox ticked. No vulnerability scanner would have flagged it as a critical finding, because the portal was technically functional. It was serving its purpose. The missing control was a gap, not a broken component.
The Pattern These Breaches Share
These are not isolated anomalies. They represent a category of security failure that is structurally invisible to automated tooling: the absence of a required control.
A vulnerability scanner finds things that are broken — software with known CVEs, misconfigured headers, weak cryptographic implementations. It cannot find things that are missing — a rotation policy that was never enforced, an MFA configuration that was never applied, a third-party access review that was never conducted, an offboarding process that never revoked credentials.
This is the critical distinction. Broken things have signatures. Missing things have no signature. You cannot scan for the absence of a process.
The secrets in code post covers a related pattern — credentials committed to repositories that live there indefinitely because no one has a process to detect or rotate them. The IAM permissions post covers what happens when access is provisioned but never reviewed. Same category: not broken, just missing the right control.
What "No Vulnerabilities Found" Actually Means
Let's be precise about what an automated scanner is actually telling you when it returns a clean report.
It is telling you: of the known vulnerability signatures in our database, we did not detect any matches against the assets you provided us.
It is not telling you: your credential hygiene is sound. Your MFA coverage is complete. Your third-party access has been reviewed recently. Your access control policies match your actual configuration. Your architecture has no single points of failure.
The gap between those two statements is where real breaches happen.
This is the false confidence problem — and it is more dangerous than false positives. A false positive means your team wastes time investigating a non-issue. False confidence means your team doesn't investigate the actual risk at all, because the report implied it wasn't there.
What Manual Assessment Finds That Scanners Cannot
A manual security assessment — whether a penetration test, an architecture review, or a control gap analysis — is not limited to signature matching. A human reviewer asks questions that scanners were never designed to ask.
Are your third-party vendor credentials subject to rotation policies — and is that policy actually enforced? Does MFA coverage match your documented standards across every external-facing system, or are there exceptions that were never followed up? When an employee leaves, is access revocation verified or assumed? If your Citrix portal was acquired through a company merger, did it go through the same security onboarding as your primary infrastructure?
These are process and architecture questions. Their answers determine whether you have a Samsung-style gap sitting dormant in your environment right now.
The most valuable output of a manual engagement is sometimes not a list of vulnerabilities found — it's a list of controls that should exist but don't. The things your scanner had no way to tell you were missing.
The Question Worth Asking This Week
You don't need to wait for a pen test to start. One question for your team right now:
Do we have any third-party vendor credentials with access to our systems that haven't been reviewed or rotated in the last 12 months?
If the honest answer is "we don't know" — that is your finding.
Has your team ever discovered a missing control that a scanner completely overlooked — something obvious in hindsight that no automated tool would have caught? Drop a comment. These stories matter, and they're far more instructive than any CVE database.
At Kuboid Secure Layer, our assessments include control gap analysis alongside vulnerability testing — specifically because the Samsung and Change Healthcare categories of failure are increasingly common and completely invisible to scanning alone. If you want to know what your environment is missing, not just what's broken, let's talk. We also offer a Virtual Security Engineer service for teams that need ongoing security oversight without a full-time hire.
Top comments (0)