20,000 accounts hacked at Dutch online mail-order pharmacy DocMorris (Jan. 2023)

Sicherheit (Pexels, allgemeine Nutzung)[German]Trouble for customers of the online mail-order pharmacy DocMorris. The mail-order company had already restricted payment options days ago due to invoice fraud and requires payment in advance. Now it is reported that 20,000 user accounts at DocMorris were hacked via a credential stuffing attack. DocMorris has blocked these accounts.


DocMorris demands prepayment

As of January 25, 2023, German site apotheke-adhoc.de reported that the online mail-order pharmacy DocMorris had suddenly changed its payment methods and required payment in advance. So far there were numerous possibilities with DocMorris to settle orders in on-line Shop (Paypal, credit card Mastercard or Visa, Klarna, Paydirekt, cash payment or calculation). Now probably only payment methods are allowed, where the customer pays in advance, writes apotheke-adhoc.de.

The background was numerous fraud attempts, as a spokesperson for the company confirmed to Medium: "n recent weeks, there have been increased fraud attempts at many online stores, including DocMorris. To protect our customers and ourselves, we are currently offering more payment methods that are less likely to be associated with fraud. In addition to the currently limited payment by invoice and direct debit, we offer our customers many other payment methods for their orders (Paypal, credit card, Paydirekt, cash payment/Viacash, and Klarna).

20,000 accounts hacked via credential stuffing attack

It has now become known that there was probably a credential stuffing attack on the online accounts of the online mail-order pharmacy DocMorris. In the process, the attackers sample lists of access names and passwords for the online accounts, which are known from previous hacks and are traded on the darknet. If a customer uses such access data for several online accounts or uses weak passwords that appear in these lists, the attackers gain access to the account.


According to the above tweet, attackers succeeded in cracking 20,000 customer accounts at DocMorris in this way. German site heise reported here (referring to this German Spiegel article, paywall), But also at German site apotheke-adhoc.de there is this report on the credential stuffing attack on DocMorris. According to DocMorris, the affected customers had been informed in accordance with Article 34 of the General Data Protection Regulation (GDPR) and the accounts had been blocked.


The subsidiary DocMorris of the Zur Rose Group has sent the affected customers new access data by mail. With this data, the blocked customer accounts can be unlocked again. In the letter, which heise shows as an excerpt, it says: "Please do not assign a password that you already use with another provider". The sender's explanation: "As you may have gathered from the media, there are currently again increased fraudulent activities of hackers on the Internet. Unfortunately, DocMorris was also affected by this."

A spokesman for the company is quoted by Apotheke-adhoc.de as saying that the company reacted immediately after learning of the attack. In addition to the account blocking, "further technical and organizational measures" had been taken to prevent the repetition of such an attack for the future, if possible.

DocMorris has called in the Dutch authorities: "The entire incident was documented internally and reported to the relevant supervisory authorities. We are also working closely with cybersecurity and privacy experts as well as law enforcement to respond to further developments." it said.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *