Cyber Incident Victim: PillPack

On April 3, 2023, PillPack, a pharmacy subsidiary of Amazon, detected a series of suspicious login attempts targeting its customer accounts. This observation prompted the immediate launch of a formal investigation to determine the nature and scope of the activity. The subsequent forensic analysis determined that the suspicious logins were part of an ongoing security incident. The investigation established that an unauthorized external party had gained access to a number of customer accounts. This access was not obtained through a direct breach of PillPack's own internal systems but was instead achieved using customer login credentials—specifically email addresses and passwords—that the threat actor had acquired from a source outside of PillPack.

The period of unauthorized access was identified as having occurred between April 2 and April 6, 2023. During this four-day window, the threat actor used the stolen email and password combinations to successfully log into a total of 19,032 distinct PillPack customer accounts. The login credentials were likely compiled from previous data breaches of other, unrelated online services where customers had used the same passwords. This technique, known as credential stuffing, exploits the common user behavior of password reuse across multiple websites and applications.

Upon gaining entry to these accounts, the unauthorized party had the potential to view the personal and health information contained within them. Of the 19,032 accounts that were illegally accessed, a subset of 3,614 accounts contained prescription-related information. The specific prescription data that was exposed was not detailed beyond this broad categorization. The investigation conclusively determined that more sensitive categories of information were not involved in this particular incident. According to an official data breach notification issued by Amazon, customer Social Security numbers and payment card information were not compromised or accessed during the breach. The compromise was limited to the account access itself and the information visible within those accounts, predominantly email addresses, passwords, and for the affected subset, prescription details.

In direct response to the incident, PillPack executed a comprehensive set of security measures aimed at containing the event and preventing any further unauthorized access. The primary containment action involved the company initiating a mandatory reset of passwords for all consumer accounts. This action effectively invalidated the credentials that had been used by the attacker and any other potentially compromised passwords, immediately severing the threat actor's access to the accounts. Furthermore, PillPack implemented a significant enhancement to its account security posture by enabling multifactor authentication (MFA) on all consumer accounts. This security control adds a required second layer of verification beyond just a password, substantially increasing the difficulty for an attacker to gain access to an account even if the login credentials are known.

The company undertook a process of notifying affected consumers about the breach. The breach notification served to inform customers that their email and password used for PillPack had been compromised and that their account had been accessed by an unauthorized party. For the individuals whose accounts contained prescription information, the notification would have provided specific confirmation that this category of data was involved. The company's public messaging emphasized that the most sensitive financial and identifier data, namely payment cards and Social Security numbers, were not part of the incident. The impact of the breach was confined to a violation of account security and a potential exposure of personal and health information, but it did not extend to identity theft or direct financial fraud based on the information known to have been accessed. The remediation efforts focused on securing the accounts and improving their defensive configuration against future credential-based attacks.