Brinztech Alert: The Alleged Database of Doctolib is on Sale

Dark Web News Analysis

The dark web news reports a potentially disruptive data incident involving Doctolib, the leading medical appointment booking platform in France and Germany. A threat actor is offering a database for sale for $600, claiming it was scraped from the platform.

The dataset reportedly contains 323,084 records, described as “incomplete” by the seller. The exposed fields include Personally Identifiable Information (PII) such as First Names, Last Names, Email Addresses, Phone Numbers, Postal Codes, and Mobile Numbers. The breach date is listed as January 16, 2026, suggesting this is a very recent extraction of data.

Key Cybersecurity Insights

While “scraping” differs from a direct database hack, the result for the end-user—the loss of privacy—is often the same, especially in the medical sector:

• Scraping vs. Hacking:

The threat actor claims the data was “scraped.” This typically means they used automated bots to harvest data that was publicly visible (or visible to logged-in users) rather than exploiting a vulnerability to steal hidden passwords. However, scraping 323,000 specific user records implies a potential abuse of an API endpoint or a “ID Enumeration” flaw where the attacker cycled through user IDs to pull profiles.

• Medical Phishing (Smishing): The exposure of Mobile Numbers and Names linked to Doctolib is dangerous. Attackers can send SMS messages pretending to be a doctor’s office: “Doctolib Alert: Your appointment for tomorrow requires confirmation. Click here.” or “Your recent test results are ready to view.” The medical context induces high anxiety, making victims more likely to click malicious links.
• Geographic Targeting: With Postal Codes included, scammers can tailor their attacks. They can pretend to be health authorities from a specific département (e.g., sending fake health alerts to users in Paris or Lyon) to increase credibility.
• GDPR Implications: Doctolib is a custodian of health data. Even if the data was “scraped” rather than “hacked,” failing to prevent mass scraping can be seen as a failure to implement adequate security measures under GDPR, potentially leading to investigations by the CNIL.

Mitigation Strategies

To protect patient trust and platform integrity, the following strategies are recommended:

• Anti-Scraping Measures: Doctolib should implement stricter Rate Limiting and CAPTCHA challenges on public-facing endpoints and APIs to prevent bots from harvesting mass user data.
• User Advisory: Inform users that Doctolib will never ask for financial details via SMS. Educate them on how to verify appointment notifications directly within the official app.
• Threat Hunting: Analyze web server logs from January 16, 2026, to identify the IP addresses responsible for the scraping activity and block them.
• Data Minimization: Ensure that public profiles or API responses do not return sensitive contact info (like mobile numbers) unless the user has explicitly authorized it for a specific booking.

Secure Your Business with Brinztech — Global Cybersecurity Solutions

Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback?

For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com