The North Face resets customer passwords following online attack

North Face Logo
(Image credit: North Face)
Audio player loading…

The North Face has reset the passwords of an undisclosed number of customers who shop on its online store after the outdoor retail giant suffered a credential stuffing attack (opens in new tab) at the beginning of October.

Credential stuffing is a technique employed by cybercriminals where username and password combinations from a previous data breach or data leak are used to try and access a user's other online accounts. These types of attacks are particularly effective against those who reuse their credentials (opens in new tab) across multiple sites and services online.

According to a notice sent out to affected North Face customers, the attackers were able to access a variety of personal information on its users including their names, birthdays, telephone numbers, billing and shipping addresses, purchased or favorite products and email preferences.

Thankfully though, no credit or debit card information was accessible to those behind the credential stuffing attack as this information is not stored on North Face's website.

Credential stuffing attack

In the notification (opens in new tab) sent out to affected customers, North Face explained that it was warning users affected by the credential stuffing attack despite the fact that the attackers did not obtain enough information for the company to be required to notify them of a data breach, saying:

“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from The North Face) and subsequently used those same credentials to access your account on thenorthface.com. We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution.” 

Once North Face detected suspicious activity on its website, the company implemented a series of security measures aimed at limiting the account login rate from suspicious sources as well as those showing a suspicious pattern. It then deleted all tokens associated with customer's credit and debit cards on its website.

Users impacted by the credential stuffing attack will need to update their payment information and create new passwords the next time they visit North Face's online store.

While the attack could have been much worse, it still serves as a reminder for users to always create strong, unique passwords for all of their accounts. This can easily be done using a password generator (opens in new tab) though many password managers (opens in new tab) also now include the ability to automatically generate strong, unique passwords as well.

Via BleepingComputer (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.