Outside attire retailer The North Face is warning clients that their private data was stolen in credential stuffing assaults concentrating on the corporate’s web site in April.
The North Face is a significant American out of doors attire and gear model owned by VF Company that additionally controls Vans, Timberland, and Dickies.
The North Face generates over $3 billion in annual income, making it one of many largest out of doors manufacturers on the planet, with its e-commerce accounting for roughly 42% of its whole gross sales volumes.
Credential stuffing assaults are a kind of cyberattack the place menace actors try to realize unauthorized entry to consumer accounts by automating login makes an attempt utilizing username-password pairs beforehand uncovered in knowledge breaches.
The method is feasible due to “credentials recycling,” which is when individuals use the identical username and password throughout a number of on-line companies.
Nevertheless, if the accounts are protected by multi-factor authentication (MFA), these assaults fail even when the passwords are compromised.
The North Face has now begun to ship knowledge breach notifications to impacted clients, with a pattern discover shared with the Vermont Lawyer Normal that informs clients that it not too long ago suffered a credential stuffing assault.
“On April 23, 2025, we found uncommon exercise involving our web site, thenorthface.com, which we investigated instantly,” reads the discover.
“Following a cautious and immediate investigation, we concluded that an attacker had launched a small scale credential stuffing assault in opposition to our web site on April 23, 2025.”
The info that has been uncovered contains the next:
Full title
Buy historical past
Transport tackle
E-mail tackle
Date of delivery
Phone quantity
It’s famous that cost data was not uncovered, as an exterior supplier handles funds on the positioning, and The North Face does not retain something however a token required for the method to undergo.
A historical past of cybersecurity failures
Within the case of The North Face, the choice to not implement MFA on all accounts has come at a major value to its buyer base, as that is the fourth credential stuffing incident the model’s web site has suffered since 2020.
Earlier this yr, its father or mother firm, VF Outside, knowledgeable of a credential stuffing assault impacting ‘thenorthface.com’ and ‘timberland.com,’ found on March 13, 2025. That incident uncovered 15,700 accounts.
Two comparable incidents have been disclosed in November 2020 and September 2022, impacting over 200,000 clients.
Probably the most extreme cybersecurity incident hitting The North Face was a December 2023 ransomware assault that was later confirmed to have impacted 35,000,000 clients.
BleepingComputer has contacted The North Face to request extra particulars in regards to the newest incident, together with what number of clients are impacted, however we’re nonetheless ready for a response.
Guide patching is outdated. It is sluggish, error-prone, and difficult to scale.
Be a part of Kandji + Tines on June 4 to see why previous strategies fall quick. See real-world examples of how fashionable groups use automation to patch quicker, lower danger, keep compliant, and skip the complicated scripts.
