North Face Suffers Large Scale Credential Stuffing Attack Exposing 200K User Accounts

The outdoor recreational apparel brand The North Face has reportedly been hit by a major credential stuffing attack. In a credential stuffing attack, threat actors take user login credentials exposed in unrelated data breaches and enter them into a targeted website or service. This form of cyberattack takes advantage of users who re-use login credentials across multiple accounts. It doesn’t matter how strong a password is if it’s exposed in a data breach along with a username or email address.

Evidently, many customers of The North Face did not secure their accounts with unique passwords. According to BleepingComputer, the attackers managed to gain unauthorized access to 194,905 user accounts on thenorthface.com. A security incident notice obtained by the publication states that The North Face detected unusual activity on its website. After investigating the situation, the company discovered that a threat actor conducted a credential stuffing attack against thenorthface.com users spanning from July 26 to August 19.

Once The North Face figured out what was happening, it disabled the passwords of the affected accounts, requiring account owners to create new passwords. This particular credential stuffing attack likely is not the last one The North Face will undergo, having been the subject of a different credential stuffing attack in November 2020. The company emphasizes that users should protect their accounts with unique passwords in order to prevent this kind of attack from happening again.

The notice also assures customers that their debit/credit card information was not compromised in this attack. Thenorthface.com makes use of payment card tokens that link to card details stored by a third-party payment processor, so the threat actors could not have accessed payment card credentials in this attack. Nonetheless, The North Face went ahead and deleted these payment tokens from compromised user accounts for good measure. Affected users will need to enter their payment card information and save this information the next time they make a purchase on the website in order to generate new payment tokens.


While BleepingComputer’s reporting doesn’t mention this detail, the document shared by the publication also includes a similar security incident notice from the skateboarding apparel company Vans. The North Face and Vans brands are owned by the same parent company, VF Corporation, which looks to be sending security incident notices to customers of both brands. However, all three companies have yet to publicly acknowledge the cyberattacks beyond the notices obtained by BleepingComputer.

According to the Vans notice, vans.com suffered a similar credential stuffing attack between August 19 and 20. Vans may have been quicker to implement mitigation measures after being alerted by the attack on The North Face, limiting this second attack to just a two-day period. Unfortunately, we don’t have a figure for the number of accounts compromised in this second credential stuffing attack, though we’d expect the number to be lower given the shorter attack window.

Vans responded to this attack in the same manner as The North Face, deleting the passwords and payment tokens of compromised accounts. Both brands encourage affected customers to monitor their financial accounts, request free credit reports, and implement credit freezes and fraud alerts to defend against identity theft in the wake of these attacks.

Besides the password and email address of each account accessed, the threat actors may have obtained the following information from each compromised account: