Password Attack — The North Face Confirms Data Breach
The North Face confirms data breach.
When it comes to outdoor apparel, fashion brands don’t come much bigger than The North Face. When it comes to data-stealing attacks, hackers don’t get it much easier than using credential-stuffing tactics. The North Face has now confirmed that just such an easy path has been taken by password attackers who managed to steal names, addresses, purchase histories and telephone numbers from affected customers. Here’s what you need to know.
Armed With Customer Passwords, Hackers Attacked The North Face
The North Face is a major player in the fashion industry, boasting an annual revenue of over $3 billion. It should come as no surprise, then, that it is on the radar of cybercriminals. The American retailer, part of the VF Corporation group, which also owns brands such as Dickies, Timberland, and Vans, has confirmed that it suffered a data breach on April 23.
As data breach notifications begin to arrive for affected customers, it becomes possible to reveal what has happened. Confirming that unusual activity was detected on The North Face website, VF Outdoor, LLC, said that “an attacker had launched a small-scale credential stuffing attack” on April 23.
A credential-stuffing attack is when a hacker has access to usernames and passwords from previous breaches, and there are billions of these available online, against other accounts. If your login details are shared across more than one site or service, you are at risk of such an attack. When one account is breached, all others using the same credentials can be compromised by a determined attacker.
“Hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation,” Benjamin Fabre, CEO of DataDome, said.
The North Face disclosure stated that it quickly disabled passwords to halt the attack, and all users will need to create a new and unique password on the website if they have not already done so. “We strongly encourage you not to use the same password for your account at our website that you use on other websites,” The North Face said.
Information that was compromised included: name, purchase history, shipping address, email address, date of birth and telephone number. However, payment information has not been compromised as a third-party provider handles all site payments.
I have reached out to VF Corporation for a statement regarding the password attack impacting customers of The North Face.