Cyber Incident Victim: Zur Rose Group AG
Date:
Jan 2023
Location:
Netherlands
Summary
A credential-stuffing attack targeted the online pharmacy DocMorris, compromising approximately 20,000 customer accounts by exploiting reused passwords obtained from other breaches. Attackers altered delivery addresses to place unauthorized medication orders, prompting the company to proactively lock affected accounts and notify customers via letters and emails. The incident led to a temporary restriction of payment options to prepayment methods like PayPal and credit cards to mitigate further fraud risks. Some customers reported being impacted despite using unique passwords or password managers, with the company clarifying that accounts showing any login attempts during the attack period were locked as a precautionary measure. Data protection authorities in Germany and the Netherlands were informed of the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-January 2023, attackers targeted DocMorris, a Netherlands-based online pharmacy, through a credential-stuffing attack. Cybercriminals used automated tools to test login credentials obtained from other data breaches, exploiting customers' reuse of passwords across multiple services. Approximately 20,000 customer accounts were compromised, with attackers altering delivery addresses and placing fraudulent medication orders under customers' names. DocMorris proactively locked all affected accounts upon detecting unauthorized access attempts, regardless of whether customers had reused passwords or employed unique credentials through password managers. The company notified impacted customers via physical letters and emails, disclosing that attackers had successfully modified account details in some cases to redirect orders. German and Dutch data protection authorities were formally informed about the breach. DocMorris attributed the attack's success specifically to password reuse patterns, though some affected customers reported using unique passwords and password managers, suggesting the company implemented broader account locks as a precautionary measure during the attack window.
Following the incident, DocMorris modified its payment processing policies to mitigate future fraud risks. The company eliminated invoice-based payments and restricted transactions to prepayment methods such as PayPal, credit cards, Paydirekt, Viacash, and Klarna's instant bank transfers. This operational change occurred shortly before the attack became public and was framed as a protective measure against fraudulent activities. The credential-stuffing attack aligns with a broader pattern of similar incidents affecting major online services during this period, including notable breaches impacting 35,000 PayPal accounts and numerous NortonLifeLock customers. DocMorris maintained that no payment information was directly compromised through their systems, as the attackers leveraged externally sourced credentials rather than breaching DocMorris' internal databases to gain account access.