Cyber Incident Victim: Morgenstern AG

On Thursday, 7 August 2025, Morgenstern AG experienced an attempted cyberattack that the company later stated it had successfully stopped. The first indication of a problem reached observers on Friday, 8 August 2025 through a private Facebook message describing a current disturbance that limited the company’s accessibility. A reader of that message noted that Morgenstern appeared to have been hacked that day, though no further details were available at the time. The incident remained unverified until the morning of Tuesday, 12 August 2025, when visitors to the Morgenstern website saw a popup announcing that a attempted cyberattack on 7 August had been thwarted and that, for security reasons, the IT systems had been shut down.

The popup also informed visitors that the company would operate in emergency mode for the coming days while external IT service providers, forensic investigators, the criminal police in Esslingen, and the internal IT team examined all systems to restore normal service as quickly as possible. As part of the response, Morgenstern contacted its customers, advising them to close any active TeamViewer sessions and to change their passwords. Observers noted that, during the incident, the company’s listed contact address was temporarily a Gmail account. Among the customers notified was the textile manufacturer Trigema, which is described as a known client of Morgenstern. Commenters on the article pointed out that the use of TeamViewer with simple passwords, weak passwords kept in Excel spreadsheets, and potentially compromised Keepass accounts had been noted in similar incidents elsewhere. One anonymous contributor inquired whether there were publicly available statistics on attacks that exploited TeamViewer. In its own statement, Morgenstern said that it had brought in external security specialists, shut down its IT systems, and notified customers while work continued to bring all services back online.