Out of doors attire retailer The North Face is warning clients that their private data was stolen in credential stuffing assaults focusing on the corporate’s web site in April.
The North Face is a significant American out of doors attire and tools model owned by VF Company that additionally controls Vans, Timberland, and Dickies.
The North Face generates over $3 billion in annual income, making it one of many largest out of doors manufacturers on the planet, with its e-commerce accounting for about 42% of its complete gross sales volumes.
Credential stuffing assaults are a sort of cyberattack the place menace actors try to achieve unauthorized entry to person accounts by automating login makes an attempt utilizing username-password pairs beforehand uncovered in knowledge breaches.
The method is feasible due to “credentials recycling,” which is when folks use the identical username and password throughout a number of on-line companies.
Nonetheless, if the accounts are protected by multi-factor authentication (MFA), these assaults fail even when the passwords are compromised.
The North Face has now begun to ship knowledge breach notifications to impacted clients, with a pattern discover shared with the Vermont Lawyer Basic that informs clients that it just lately suffered a credential stuffing assault.
“On April 23, 2025, we found uncommon exercise involving our web site, thenorthface.com, which we investigated instantly,” reads the discover.
“Following a cautious and immediate investigation, we concluded that an attacker had launched a small scale credential stuffing assault in opposition to our web site on April 23, 2025.”
The info that has been uncovered consists of the next:
- Full title
- Buy historical past
- Transport handle
- E-mail handle
- Date of start
- Phone quantity
It’s famous that cost data was not uncovered, as an exterior supplier handles funds on the location, and The North Face does not retain something however a token required for the method to undergo.
A historical past of cybersecurity failures
Within the case of The North Face, the choice to not implement MFA on all accounts has come at a big price to its buyer base, as that is the fourth credential stuffing incident the model’s website has suffered since 2020.
Earlier this 12 months, its mother or father firm, VF Out of doors, knowledgeable of a credential stuffing assault impacting ‘thenorthface.com’ and ‘timberland.com,’ found on March 13, 2025. That incident uncovered 15,700 accounts.
Two comparable incidents had been disclosed in November 2020 and September 2022, impacting over 200,000 clients.
Essentially the most extreme cybersecurity incident hitting The North Face was a December 2023 ransomware assault that was later confirmed to have impacted 35,000,000 clients.
BleepingComputer has contacted The North Face to request extra particulars concerning the newest incident, together with what number of clients are impacted, however we’re nonetheless ready for a response.
Guide patching is outdated. It is gradual, error-prone, and hard to scale.
Be a part of Kandji + Tines on June 4 to see why outdated strategies fall brief. See real-world examples of how trendy groups use automation to patch quicker, lower threat, keep compliant, and skip the complicated scripts.
