Credential Stuffers Scaled The North Face to Access Accounts

Outdoor clothing giant The North Face has notified customers that it has been hit by a credential stuffing attack which may have given third parties access to their personal information.

In a data breach notice filed with the Californian Office of the Attorney General (OAG), the San Francisco-headquartered firm claimed that the brute force attack had been launched against its site on October 8-9.

A credential stuffing attack occurs when cyber-criminals use automated software to try previously breached log-ins across a large range of sites: they’ll be able to access accounts where the individual has reused their password.

Fortunately, The North Face uses tokenization to obfuscate customer card details, but customers’ personal information  may have been accessed in the incident.

“Based on our investigation, we believe that the attacker obtained your email address and password from another source and may have accessed the information stored on your account at, including products you have purchased on our website, products you have saved to your ‘favorites,’ your billing address, your shipping address(es), your VIPeak customer loyalty point total, your email preferences, your first and last name, your birthday (if you saved it to your account), and your telephone number (if you saved it to your account),” the noticed read.

As a precaution, the firm deleted all payment card tokens on the site, limited logins from suspicious sources and disabled all passwords from accounts compromised in the attack. Affected customers will need to create new passwords and re-enter payment card details, it said.

“We strongly encourage you not to use the same password for your account at that you use on other websites, because if one of those other websites is breached, your email address and password could be used to access your account at,” the notice continued.

“In addition, we recommend avoiding using easy-to-guess passwords. You should also be on alert for schemes, known as phishing attacks, where malicious actors may pretend to represent The North Face or other organizations, and you should not provide your personal information in response to any electronic communications regarding a cybersecurity incident.”

Retail accounted for over 90% of the 64 billion credential stuffing attempts detected by Akamai over the period July 1 2018 to June 30 2020.

What’s Hot on Infosecurity Magazine?