Out of doors attire retailer The North Face is warning prospects that their private info was stolen in credential stuffing assaults concentrating on the corporate’s web site in April.
The North Face is a significant American outside attire and tools model owned by VF Company that additionally controls Vans, Timberland, and Dickies.
The North Face generates over $3 billion in annual income, making it one of many largest outside manufacturers on the earth, with its e-commerce accounting for about 42% of its complete gross sales volumes.
Credential stuffing assaults are a sort of cyberattack the place menace actors try to achieve unauthorized entry to person accounts by automating login makes an attempt utilizing username-password pairs beforehand uncovered in information breaches.
The approach is feasible due to “credentials recycling,” which is when folks use the identical username and password throughout a number of on-line providers.
Nevertheless, if the accounts are protected by multi-factor authentication (MFA), these assaults fail even when the passwords are compromised.
The North Face has now begun to ship information breach notifications to impacted prospects, with a pattern discover shared with the Vermont Legal professional Basic that informs prospects that it lately suffered a credential stuffing assault.
“On April 23, 2025, we found uncommon exercise involving our web site, thenorthface.com, which we investigated instantly,” reads the discover.
“Following a cautious and immediate investigation, we concluded that an attacker had launched a small scale credential stuffing assault towards our web site on April 23, 2025.”
The info that has been uncovered consists of the next:
- Full title
- Buy historical past
- Transport tackle
- Electronic mail tackle
- Date of start
- Phone quantity
It’s famous that fee info was not uncovered, as an exterior supplier handles funds on the location, and The North Face does not retain something however a token required for the method to undergo.
A historical past of cybersecurity failures
Within the case of The North Face, the choice to not implement MFA on all accounts has come at a major value to its buyer base, as that is the fourth credential stuffing incident the model’s website has suffered since 2020.
Earlier this 12 months, its father or mother firm, VF Out of doors, knowledgeable of a credential stuffing assault impacting ‘thenorthface.com’ and ‘timberland.com,’ found on March 13, 2025. That incident uncovered 15,700 accounts.
Two related incidents have been disclosed in November 2020 and September 2022, impacting over 200,000 prospects.
Essentially the most extreme cybersecurity incident hitting The North Face was a December 2023 ransomware assault that was later confirmed to have impacted 35,000,000 prospects.
BleepingComputer has contacted The North Face to request extra particulars concerning the newest incident, together with what number of prospects are impacted, however we’re nonetheless ready for a response.
Handbook patching is outdated. It is gradual, error-prone, and hard to scale.
Be a part of Kandji + Tines on June 4 to see why outdated strategies fall quick. See real-world examples of how trendy groups use automation to patch quicker, minimize danger, keep compliant, and skip the advanced scripts.
