A massive credential stuffing hack has targeted “The North Face”
The North Face, a manufacturer of outdoor clothing, was the target of a widespread credential stuffing assault that led to the compromising of 194,905 accounts on the thenorthface.com website. An attempt to access user accounts on other websites by threat actors using stolen email addresses, usernames, and passwords is known as a “credential stuffing attack.”
The usage of the same login information across many online platforms, or “password recycling,” is crucial to the success of these attacks. The website administrators discovered the suspicious behavior on August 11, 2022, and they were able to stop the credential stuffing attack on August 19, 2022. The credential stuffing attack on The North Face website started on July 26, 2022.
After looking into the incident, North Face discovered that the perpetrators breached nearly 200,000 accounts using legitimate login credentials, potentially gaining access to the following customer data:
- Full name
- Purchase history
- Billing address
- Shipping address
- Telephone number
- Account creation date
- XPLR Pass reward records
Since the website does not keep payment information like credit card numbers, hackers could not obtain private financial data. “Payment card information is not stored by us on thenorthface.com. Your payment card information is exclusively stored by our third-party payment card processor, and we simply hold a “token” linked to it “The company describes the breach in the notification.
The token can only be used to start a purchase on thenorthface.com, according to the statement. Customers who have been affected by the security incident are receiving notifications of a data breach from the parent company of the brand, VF Corporation (previously Vanity Fair Mills).
All user passwords have also been changed, and all payment card tokens on accounts that were obtained by unauthorized hackers have been deleted. Hence, impacted consumers with an account on the website will have to enter the new password and re-enter their credit card data to make a transaction.