The North Face Issues Customer Warning After April Credential Attack

Outdoor apparel brand The North Face notified its customers of a credential stuffing attack in April.

The North Face April breach

A credential stuffing attack compromised personal data on The North Face’s website in April. The US outdoor apparel retailer, owned by VF Corporation, disclosed the breach in notifications sent to affected users and filed with state regulators.

According to the notice, the breach was identified on April 23 after the company detected suspicious activity on its website. A prompt investigation revealed that attackers had used previously exposed login credentials to access customer accounts.

Multiple data types exposed by attack

The company uses an external provider to handle payments across its website, so threat actors couldn’t access customer payment data. Reportedly, The North Face only stores a token needed to process transactions.

Even so, the security incident exposed several types of sensitive information, including:

• Full names
• Shipping addresses
• Email addresses
• Phone numbers
• Dates of birth
• Purchase histories

The dangers of credential stuffing attacks

Credential stuffing attacks exploit targets’ tendency to recycle passwords across platforms without additional security mechanisms, such as multi-factor authentication (MFA).

In such an attack, threat actors weaponize credentials harvested from unrelated breaches, thereby breaching the accounts of people who use the same compromised credentials for multiple accounts.

A pattern of cybersecurity lapses

This is the fourth credential-stuffing attack The North Face has suffered in five years.

Last March, the company disclosed an attack that impacted more than 15,000 user accounts on both The North Face and Timberland websites.

In 2022, The North Face suffered another credential stuffing attack, affecting nearly 200,000 shoppers.

The most severe case, however, occurred in December 2023, when a ransomware attack on VF Corporation compromised data tied to 35 million customers.

Being prepared for data breaches

Unfortunately, data breaches strike indiscriminately, affecting companies and their customers alike. However, preparing for data breaches can help you manage their fallout more efficiently.

Dedicated solutions like Bitdefender Digital Identity Protection can help you monitor the extent of your online persona, find out if your data has been leaked in a breach in real time, and patch weak spots in your digital footprint quickly.