The outdoor recreation apparel company The North Face suffered a credential stuffing attack that compromised over 194,905 accounts. The North Face sent out data breach notification letters and initiated password resets for affected accounts, according to Bleeping Computer.
Credential stuffing attacks involve using login information from previous data breaches to compromise accounts whose owners reuse the same login credentials across multiple websites
Owned by VF Corporation, The North Face sister brands include Altra, Dickies, Eastpak, Ice Breaker, Kipling, Napapijri, Supreme, Timberland, and Vans. In 2019, the company made $2 billion of the industry’s $4 billion, making it one of the market leaders in the outdoor apparel segment.
The North Face credential stuffing attack exposed personal and purchase information
The North Face apparel company stopped the attack on August 19 after detecting unusual activity on August 11, although the attack had begun on July 26, 2022.
The North Face determined that the attackers had accessed customer account information of nearly 200,000 users. Details leaked in the credential stuffing attack include user’s full name, telephone number, gender, account creation date, purchase history, billing and shipping addresses, and loyalty points.
However, the attackers did not access credit card numbers, expiration dates, and CVVs since the company does not store that information.
“We do not keep a copy of payment card details on thenorthface.com. We only retain a “token” linked to your payment card, and only our third-party payment card processor keeps payment card details,” the data breach notification stated.
Additionally, The North Face explained that the stored payment card tokens could not be used to make purchases on any other website except at thenorthface.com.
Subsequently, the company took additional measures by deleting the existing payment tokens to prevent abuse. Thus, customers must re-authorize their credit cards to make purchases on the website.
Paul Bischoff, privacy advocate at Comparitech, warned that the attackers will not stop at The North Face, “If you have a North Face account and it has a password that’s the same as other account passwords, you should change all of them immediately.”
Users should reset the password of any account that shared login credentials with compromised accounts at thenorthface.com. Additionally, they should remain vigilant for phishing attacks attempting to steal personal information by impersonating The North Face staff using leaked information.
Users should also avoid sending account, payment, and personal information to individuals requesting such details via email, text messages, or social media. Legitimate companies have defined processes of collecting that information on their websites and hardly rely on email, text, or social media.
According to Uriel Maimon, Head of Emerging Products at Human Security, the North Face credential stuffing attack would have a cascading effect on other accounts.
“We should expect that the credentials stolen from The North Face will soon be tested on other apps that we use to power our daily lives,” Maimon said. “Therefore, It is important that app users and site owners make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks.”
“Malicious login attempts out of total logins trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak,” he said.
Signs of an underlying security problem
The incident marks the second time The North Face had reset passwords after a similar credential stuffing attack in 2020.
“We strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com ,” the company told its customers in 2020.
The apparel company has not disclosed the source of the stolen details used in the recent credential stuffing attack. In 2020, the company indicated that attackers had obtained users’ credentials from a third-party website and compromised an undisclosed number of customer accounts at thenorthface.com.
Evidently, the 2020 and 2022 credential stuffing attacks follow similar patterns suggesting an underlying security problem that requires a permanent solution.