Thousands Hit by The North Face Credential Stuffing Attack

Sports apparel and footwear giant VF Corporation is notifying over 2,800 individuals that their personal information was compromised in a recent credential stuffing attack aimed at The North Face website.

Credential stuffing occurs when threat actors leverage email addresses, usernames, and passwords compromised in a previous data breach to access accounts on a different online service where the same credentials have been used.

According to notification letters VF Corporation sent this week to the impacted individuals, copies of which were submitted to multiple regulators, a threat actor employed this technique on April 23 against a small set of user accounts on thenorthface.com website.

“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website,” the company’s notification letter reads.

VF Corporation says it discovered the suspicious activity on the same day, and informed the Maine Attorney General’s Office that a total of 2,861 user accounts were compromised.

The campaign resulted in the attackers gaining access to the information stored in the compromised accounts, such as names, addresses, email addresses, dates of birth, phone numbers, user preferences, and details on the items purchased on the website.

The company underlines that payment card information was not compromised because it does not store such data on its website.

“We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on our website. Accordingly, your credit card information is not at risk as a result of this incident,” it says.

VF Corporation says it disabled the passwords for the impacted accounts immediately after discovering the attacks, and is urging users to create strong, unique passwords to avoid similar incidents.

“We strongly encourage you not to use the same password for your account at our website that you use on other websites. If a breach occurs on one of those other websites, an attacker could use your email address and password to access your account at our website,” the company explains.

Impacted users are advised to be wary of phishing attacks as threat actors could use the compromised information to impersonate the organization.

Headquartered in Denver, Colorado, VF Corporation owns 11 brands, including Eastpak, JanSport, The North Face, and Timberland.

Related: A Guide to Security Investments: The Anatomy of a Cyberattack

Related: MainStreet Bank Data Breach Impacts Customer Payment Cards

Related: Amtrak Says Guest Rewards Accounts Hacked in Credential Stuffing Attacks

Related: Staffing Firm Robert Half Says Hackers Targeted Over 1,000 Customer Accounts