The North Face warns customers of April credential stuffing attack
Outdoor apparel retailer The North Face is warning customers that their personal information was stolen in credential stuffing attacks targeting the company’s website in April.
The North Face is a major American outdoor apparel and equipment brand owned by VF Corporation that also controls Vans, Timberland, and Dickies.
The North Face generates over $3 billion in annual revenue, making it one of the largest outdoor brands in the world, with its e-commerce accounting for approximately 42% of its total sales volumes.
Credential stuffing attacks are a type of cyberattack where threat actors attempt to gain unauthorized access to user accounts by automating login attempts using username-password pairs previously exposed in data breaches.
The technique is possible thanks to “credentials recycling,” which is when people use the same username and password across multiple online services.
However, if the accounts are protected by multi-factor authentication (MFA), these attacks fail even if the passwords are compromised.
The North Face has now begun to send data breach notifications to impacted customers, with a sample notice shared with the Vermont Attorney General that informs customers that it recently suffered a credential stuffing attack.
“On April 23, 2025, we discovered unusual activity involving our website, thenorthface.com, which we investigated immediately,” reads the notice.
“Following a careful and prompt investigation, we concluded that an attacker had launched a small scale credential stuffing attack against our website on April 23, 2025.”
The data that has been exposed includes the following:
- Full name
- Purchase history
- Shipping address
- Email address
- Date of birth
- Telephone number
It is noted that payment information was not exposed, as an external provider handles payments on the site, and The North Face doesn’t retain anything but a token required for the process to go through.
A history of cybersecurity failures
In the case of The North Face, the decision not to enforce MFA on all accounts has come at a significant cost to its customer base, as this is the fourth credential stuffing incident the brand’s site has suffered since 2020.
Earlier this year, its parent company, VF Outdoor, informed of a credential stuffing attack impacting ‘thenorthface.com’ and ‘timberland.com,’ discovered on March 13, 2025. That incident exposed 15,700 accounts.
Two similar incidents were disclosed in November 2020 and September 2022, impacting over 200,000 customers.
The most severe cybersecurity incident hitting The North Face was a December 2023 ransomware attack that was later confirmed to have impacted 35,000,000 customers.
BleepingComputer has contacted The North Face to request more details about the latest incident, including how many customers are impacted, but we are still waiting for a response.
Manual patching is outdated. It’s slow, error-prone, and tough to scale.
Join Kandji + Tines on June 4 to see why old methods fall short. See real-world examples of how modern teams use automation to patch faster, cut risk, stay compliant, and skip the complex scripts.
Source link
