The North Face has reset the passwords of an undisclosed number of customers who shop on its online store after the outdoor retail giant suffered a credential stuffing attack (opens in new tab) at the beginning of October.
Credential stuffing is a technique employed by cybercriminals where username and password combinations from a previous data breach or data leak are used to try and access a user's other online accounts. These types of attacks are particularly effective against those who reuse their credentials (opens in new tab) across multiple sites and services online.
According to a notice sent out to affected North Face customers, the attackers were able to access a variety of personal information on its users including their names, birthdays, telephone numbers, billing and shipping addresses, purchased or favorite products and email preferences.
- We've put together a list of the best antivirus (opens in new tab)software around
- Keep your device virus free with the best malware removal (opens in new tab) software
- Also check out our roundup of the best firewall (opens in new tab)
Thankfully though, no credit or debit card information was accessible to those behind the credential stuffing attack as this information is not stored on North Face's website.
Credential stuffing attack
In the notification (opens in new tab) sent out to affected customers, North Face explained that it was warning users affected by the credential stuffing attack despite the fact that the attackers did not obtain enough information for the company to be required to notify them of a data breach, saying:
“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from The North Face) and subsequently used those same credentials to access your account on thenorthface.com. We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution.”
Once North Face detected suspicious activity on its website, the company implemented a series of security measures aimed at limiting the account login rate from suspicious sources as well as those showing a suspicious pattern. It then deleted all tokens associated with customer's credit and debit cards on its website.
Users impacted by the credential stuffing attack will need to update their payment information and create new passwords the next time they visit North Face's online store.
While the attack could have been much worse, it still serves as a reminder for users to always create strong, unique passwords for all of their accounts. This can easily be done using a password generator (opens in new tab) though many password managers (opens in new tab) also now include the ability to automatically generate strong, unique passwords as well.
- We've also highlighted the best endpoint protection software (opens in new tab)
Via BleepingComputer (opens in new tab)