Outdoor clothing giant The North Face has notified customers that their account may have been compromised, after noticing unusual activity on its website last month.
It detected the credential stuffing attack on August 11, although the campaign lasted from July 26 to August 19, according to a data breach notification notice seen by Infosecurity.
Credential stuffing exploits consumers that reuse passwords. Once a password/username combination has been breached, hackers will run it through automated software that tries it against numerous other websites and apps, to see which accounts it might unlock.
The end goal is typically to harvest any personal information stored in these accounts, to resell access on the dark web and/or to use stored card details to make fraudulent purchases.
However, North Face explained that it tokenized payment card information so that threat actors could not access this data.
“The attacker could not view a full payment card number, expiration date, or a CVV. We do not keep a copy of payment card details on thenorthface.com,” it noted.
“We only retain a ‘token’ linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on thenorthface.com.”
However, the retailer did warn some customers that attackers may have been able to hijack their accounts with previously breached credentials. If so, they may have been able to access information including purchase history, billing and shipping address, preferences, email address, first and last name, date of birth, telephone number, unique North Face ID number, gender and XPLR Pass reward records.
This would certainly be enough to attempt follow-on identity fraud or launch convincing phishing attacks.
On discovering the incident, the firm said it disabled passwords and erased payment card tokens from affected accounts. It will require these users to enter a new password and re-enter payment details the next time they log-in.
If the same password is used on other sites/apps they should change these to unique, strong credentials, it added.
Credential stuffing attacks are particularly prolific across retail and financial services sites. According to one estimate, 2020 saw 193 billion account takeover attempts, as cyber-criminals sought to capitalize on surging numbers of online users during the pandemic.