Outside attire retailer The North Face is warning clients that their private data was stolen in credential stuffing assaults focusing on the corporate’s web site in April.
The North Face is a significant American outside attire and tools model owned by VF Company that additionally controls Vans, Timberland, and Dickies.
The North Face generates over $3 billion in annual income, making it one of many largest outside manufacturers on this planet, with its e-commerce accounting for about 42% of its complete gross sales volumes.
Credential stuffing assaults are a sort of cyberattack the place risk actors try to achieve unauthorized entry to person accounts by automating login makes an attempt utilizing username-password pairs beforehand uncovered in data breaches.
The approach is feasible due to “credentials recycling,” which is when individuals use the identical username and password throughout a number of on-line providers.
Nonetheless, if the accounts are protected by multi-factor authentication (MFA), these assaults fail even when the passwords are compromised.
The North Face has now begun to ship data breach notifications to impacted clients, with a pattern discover shared with the Vermont Lawyer Common that informs clients that it not too long ago suffered a credential stuffing assault.
“On April 23, 2025, we found uncommon exercise involving our web site, thenorthface.com, which we investigated instantly,” reads the discover.
“Following a cautious and immediate investigation, we concluded that an attacker had launched a small scale credential stuffing assault towards our web site on April 23, 2025.”
The info that has been uncovered contains the next:
- Full identify
- Buy historical past
- Transport handle
- E-mail handle
- Date of beginning
- Phone quantity
It’s famous that cost data was not uncovered, as an exterior supplier handles funds on the positioning, and The North Face would not retain something however a token required for the method to undergo.
A historical past of cybersecurity failures
Within the case of The North Face, the choice to not implement MFA on all accounts has come at a major value to its buyer base, as that is the fourth credential stuffing incident the model’s website has suffered since 2020.
Earlier this yr, its mother or father firm, VF Outside, knowledgeable of a credential stuffing assault impacting ‘thenorthface.com’ and ‘timberland.com,’ found on March 13, 2025. That incident uncovered 15,700 accounts.
Two related incidents have been disclosed in November 2020 and September 2022, impacting over 200,000 clients.
Probably the most extreme cybersecurity incident hitting The North Face was a December 2023 ransomware assault that was later confirmed to have impacted 35,000,000 clients.
BleepingComputer has contacted The North Face to request extra particulars in regards to the newest incident, together with what number of clients are impacted, however we’re nonetheless ready for a response.
Handbook patching is outdated. It is gradual, error-prone, and hard to scale.
Be part of Kandji + Tines on June 4 to see why outdated strategies fall quick. See real-world examples of how fashionable groups use automation to patch quicker, lower danger, keep compliant, and skip the complicated scripts.
