North Face customers who have user accounts on the outdoor apparel brand's website have been targeted by a large-scale credential stuffing attack as their confidential information from hundreds of thousands of accounts was nearly obtained by cybercriminals.
The credential stuffing attack on The North Face website began on July 26, 2022, but the website's administrators detected the unusual activity on August 11, 2022, and were able to stop it on August 19, 2022.
A credential stuffing attack happens when attackers use email addresses/usernames and password combinations they culled from data breaches in hacking attempts on other websites.
The success of these attacks depend on the users' rampant password recycling, or when an individual uses the same credentials on different online platforms.
Read Also: Twilio Confirms 125 Customers Have Been Affected by Data Breach - Have Passwords Been Stolen?
Data from 200,000 Accounts Compromised
After probing the attack, North Face determined that the attackers managed to hack close to 200,000 accounts using valid credentials, potentially obtaining such customer information as:
- Full name
- Purchase history
- Billing address
- Shipping address
- Telephone number
- Account creation date
- Gender
- XPLR Pass reward records
Fortunately, credit card data are not stored on the website. Thus, the attackers were not able to access sensitive financial data.
Credit Card Details, Other Financial Data Safe, Says North Face
"We do not keep a copy of payment card details on thenorthface.com. We only retain a "token" linked to your payment card, and only our third-party payment card processor keeps payment card details," explains the firm in the breach notification.
Read Also: Data of Thousands of Taxpayers Compromised Due to IRS Mistake
"The token cannot be used to initiate a purchase anywhere other than on thenorthface.com."
In response to the security incident, the VF Corporation (formerly Vanity Fair Mills), North Face's parent firm, is sending notices of data breaches to affected customers.
In addition, all user passwords on northface.com have been reset, and all payment card tokens on the accounts accessed by unauthorized intruders were removed.
New Strong, Unique Passwords Encouraged to Avoid Similar Incident from Happening
Thus, affected customers with a user account on the website need to enter a new password and re-enter payment card details to purchase an item.
These users are expected to pick a unique, strong (long) password and avoid the comfort of recycling credentials.
Also, if the customers use the same passwords on other online platforms, they must change them to a unique one dedicated to the site immediately to avoid a similar incident from happening.
Not the First Data Breach on North Face
This is the second time The North Face reset passwords after a successful credential stuffing attack. The first attack transpired on November 2020.
Among the brands under VF Corporation are Vans, Timberland, Eastpak, Kipling, Dickies, and Napapijri, aside from The North Face. However, those other brands apparently have not been affected by this data breach or similar attacks.
Related Article: T-Mobile Data Breach 2021: 100 Million Users Exposed in Latest Hacking, Is There a Fix?
