How The Gentlemen Gained Access to SATS Accounts – And How It Could Have Been Prevented

When accounts at the gym chain SATS were compromised by the group The Gentlemen, it wasn’t necessarily the result of a traditional “hack” of the system itself. Instead, it points to a combination of password reuse, exposed infrastructure, and lack of visibility into the external attack surface.

This type of attack is becoming increasingly common — and more dangerous — as attackers automate their methods.

Previous Incident: Breach in Person Data Handling

This is not the first time SATS has drawn attention from a security and privacy perspective.

In 2023, SATS was fined by the Norwegian supervisory authority after violating several provisions of the GDPR.

According to the European Data Protection Board, this involved:

• Inadequate technical and organizational protective measures
• Failures in access controls
• Insufficient handling of personal data

This is significant for two reasons:

1. Security is rarely an isolated event Organizations with weaknesses in data protection often also have vulnerabilities in other parts of their security infrastructure.

2. The attack surface is broader than one might think It's not just about firewalls and servers — but also about how identities, data, and access are managed.

This does not automatically mean that this incident have a direct connection to the previous fine.

But it shows a pattern that is very common:

When basic security controls have flaws, the likelyhood for additional incidents increase.

What likely happened

The attackers used previously leaked credentials from other services. These typically include:

• Email addresses
• Passwords

Using automated tools, they tested these credentials against SATS login systems.

This is known as:

Credential stuffing

If a user had reused the same password, the login would succeed instantly — without exploiting any vulnerability in the application itself.

A more common problem than many think

This is not unique to SATS.

In most organizations, there are:

• Users reusing passwords
• Accounts already exposed in past data breaches
• Limited visibility into which identities are compromised

This makes credential stuffing one of the most effective attack methods today.

But there’s a darker scenario

It’s not uncommon for legacy on-prem systems to remain in production environments — including potentially exposed internal services such as domain controllers or other critical servers.

This opens the door to a far more severe attack scenario.

Worst-case scenario: Exposed domain controller

If a domain controller (Active Directory) or related services are accessible from the internet, the situation changes completely.

Step 1 — Reconnaissance

Attackers begin by mapping your external attack surface.

This is typically automated by scanning domains, subdomains, and IP ranges.

They look for open TCP ports exposing sensitive services:

• SSH (22) — direct server access
• RDP (3389) — remote control of Windows systems
• VNC (5900) — graphical remote access
• LDAP / LDAPS (389 / 636) — Active Directory communication
• SMB (445) — file sharing and authentication

Database services:

• MSSQL (1433)
• Oracle (1521)
• MySQL (3306)
• PostgreSQL (5432)
• MongoDB (27017)
• Redis / others (varies)

This is exactly the type of exposure automated scanners look for — every single day, across the entire internet.

Step 2 — Initial access

Two common entry paths:

Option A: Credential stuffing / password spray

• Testing leaked credentials directly against remote access services, AD, or databases

Option B: Compromised endpoint

• An employee device is infected (phishing / infostealer)
• Provides attackers with internal credentials or active sessions

Step 3 — Lateral movement

Once inside:

• Enumerate users and groups
• Identify privileged accounts
• Move across systems within the network

Step 4 — Privilege escalation

• Exploit misconfigurations in Active Directory
• Dump credentials from memory
• Take over administrative accounts

Step 5 — Full compromise

At this stage, attackers can:

• Access databases containing customer data
• Extract or manipulate sensitive information
• Take control of the entire domain
• Deploy ransomware

This is a total compromise scenario.

Would External Exposure Monitoring have helped?

Yes — in both scenarios.

In the credential stuffing case:

• Identify users in breach databases
• Enable proactive password resets
• Detect abnormal login activity

In the worst-case scenario:

• Detect exposed ports (RDP, LDAP, SMB)
• Identify publicly accessible admin interfaces
• Provide continuous visibility into your attack surface

What your company should do now

1. Eliminate unnecessary external exposure

• Domain controllers should never be publicly accessible
• Require VPN or Zero Trust access

2. Enforce strong authentication

• MFA on all accounts
• Prefer phishing-resistant methods (passkeys or hardware keys)

3. Continuously monitor identities

• Detect accounts in breach datasets
• Enforce password rotation

4. Segment your network

• Limit lateral movement
• Isolate critical systems

5. Implement endpoint protection

• Detect malicious processes and infostealers
• Prevent credential harvesting

The bottom line

It’s still unclear exactly how attackers gained access — but one thing is certain:

Organizations aren’t breached in one way — but in multiple ways at once.

Credential stuffing may be the entry point.
Exposed infrastructure may be the accelerator.

And lack of visibility allows both to go unnoticed.

Want to know how exposed your company is?

The first step is understanding what is already visible externally.

Run an external attack surface scan to find out:

• Which services are exposed
• Which accounts appear in data breaches
• Where your biggest risks are

What you can’t see can hurt you.