Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label VF Corporation cybersecurity. Show all posts
VF Corporation cybersecurity
credential stuffing attack 2025 Data Breach e-commerce data leak MFA cyber The North Face VF Corporation cybersecurity

The North Face Suffers Data Breach in Credential Stuffing Attack, Customer Information Exposed

 

Outdoor gear giant The North Face has issued a warning to its customers following a cyberattack in April that compromised sensitive personal data through a credential stuffing incident.

A subsidiary of VF Corporation — which also owns Vans, Timberland, and Dickies — The North Face is a prominent American brand generating over $3 billion in annual revenue. Approximately 42% of its sales come through online channels, making its e-commerce platform a prime target for cyber threats.

Credential stuffing is a technique where attackers use stolen username-password combinations from previous breaches to access user accounts on other platforms. This form of attack often succeeds because many individuals reuse the same login credentials across multiple services. However, such breaches are largely preventable with the use of multi-factor authentication (MFA), which adds an extra layer of security.

The company has begun notifying affected users, sharing a sample breach notice with the Vermont Attorney General. The alert states:

“On April 23, 2025, we discovered unusual activity involving our website, thenorthface.com, which we investigated immediately,”

“Following a careful and prompt investigation, we concluded that an attacker had launched a small scale credential stuffing attack against our website on April 23, 2025.”

According to the company, the compromised data includes:
  • Full names
  • Purchase history
  • Shipping addresses
  • Email addresses
  • Dates of birth
  • Telephone numbers
Fortunately, financial data was not affected, as payments on the website are managed by a third-party provider, and The North Face does not store actual payment information—only secure tokens used for processing.

This isn’t the first time the company has faced such an incident. The latest breach marks the fourth credential stuffing event since 2020. Earlier in 2025, a similar attack was reported on both The North Face and Timberland websites, impacting over 15,700 accounts. Past incidents in 2020 and 2022 affected more than 200,000 users in total.

The most severe breach occurred in December 2023, when a ransomware attack compromised data from 35 million customers.

BleepingComputer has reached out to The North Face for further details, including the total number of users impacted in the April incident, but has yet to receive a response.
Read more »
Subscribe to: Posts (Atom)