The North Face hit by credential stuffing attack • The Register

Joining the long queue of retailers dealing with cyber mishaps is outdoorsy fashion brand The North Face, which says crooks broke into some customer accounts using login creds pinched from breaches elsewhere.

According to a consumer notice filed with the Vermont Attorney General’s Office, the outdoor gear seller spotted unusual activity on April 23.

It described the incident as a “small-scale credential stuffing attack” that likely involved login details stolen from previous breaches, targeting users who reused the same credentials across multiple websites.

The North Face said attackers used these stolen credentials to access some customer accounts.

Reiterating that the login data originated from a breach unrelated to its own systems, the biz said the accessed account information may have included full names, order histories, shipping addresses, preferences, and, if saved by the user, dates of birth and telephone numbers.

The attackers might already have access to email addresses and passwords, which were required to log into the site.

No payment card information was exposed, according to The North Face. It explained that card numbers, CVVs, and expiry dates are handled by a third-party processor and not stored on its website.

“We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details,” the notification [PDF] read. “The token cannot be used to initiate a purchase anywhere other than on our website.”

The Register contacted The North Face’s parent company, VF Corporation, which suffered its own data disaster in 2023 affecting 35.5 million customers, for more details, but it did not immediately respond.

“We do not believe that the incident involved information that would require us to notify you of a data security breach under applicable law,” The North Face said. “However, we are notifying you of the incident voluntarily, out of an abundance of caution.”

According to the notification, the attack targeted customer accounts on thenorthface.com, its US website.

Customers outside the US who visit that URL are typically redirected to local versions of the site, which suggests the incident likely affected predominantly US accounts.

The North Face reset user passwords following the incident, so anyone who hasn’t logged in since April 23 will need to create a new one. It warned users not to reuse credentials from other sites.

“We strongly encourage you not to use the same password for your account at our website that you use on other websites,” it said. “If a breach occurs on one of those other websites, an attacker could use your email address and password to access your account at our website.

“In addition, we recommend avoiding using easy-to-guess passwords. You should also be on alert for schemes known as ‘phishing’ attacks, where malicious actors may pretend to represent us or other organizations. You should not provide your personal information in response to any electronic communications regarding a cybersecurity incident.”

The attack follows data thefts at other major retailers of late, most recently including jeweler Cartier, which said the breach affected “limited client information” but did not respond to The Register’s questions about the scale of the attack.

Fellow sporty fashion house Adidas also confirmed last week that attackers had made off with basic personal data.

Victoria’s Secret, whose products aren’t quite as suited for the outdoors, blamed a nondescript “security incident” for its website outage in the same week.

And three big UK retailers – M&S, Co-op, and Harrods – all disclosed their respective high-profile disruptive attacks during the month prior. ®