- The North Face has notified customers of a data breach
- Hackers ran a credential stuffing attack on its website and breached customer accounts
- They stole names, addresses, and phone numbers
The North Face has confirmed suffering a credential stuffing attack through which cybercriminals exfiltrated sensitive customer information.
The outdoor clothing and equipment company has filed a new notice with the Vermont Attorney General which also included the data breach notification letter sent out to affected customers.
In the letter, the company said it discovered “unusual activity” on its website on April 23, 2025. The subsequent investigation showed that an unidentified attacker ran a “small-scale credential stuffing attack”, using login credentials obtained elsewhere, most likely purchased from the dark web.
Save up to 68% on identity theft protection for TechRadar readers
TechRadar editors praise Aura’s upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.
Preferred partner (What does this mean?)View Deal
Payment information intact
“Credential stuffing attacks can occur when individuals use the same authentication credentials on multiple websites,” The North Face said. “We encourage all of our customers to use a unique password on our website.”
The crooks made away with people’s shipping addresses, preference information, email addresses, full names, dates of birth, and phone numbers.
“Payment card (credit, debit, or stored value card) information was not compromised on our website,” the company added.
“The attacker could not view your payment card number, expiration date, or your CVV (the short code on the back of your card).”
As The North Face explained, payment data was not taken because it’s not being stored on its servers. The company only retains a token linked to the payment card, while the payment processor retains the details.
“The token cannot be used to initiate a purchase anywhere other than on our website. Accordingly, your credit card information is not at risk as a result of this incident.”
The North Face also said notifying customers wasn’t necessary, given the nature of the stolen information, but still decided to do it “out of an abundance of caution.” Still, names, birth dates, postal addresses, and phone numbers are more than enough information to create custom, convincing phishing emails that can result in identity theft, payment information theft and wire fraud, identity theft, and more.
Via BleepingComputer
You might also like
- Millions of Vans, North Face customers confirmed hit in data breach
- Take a look at our guide to the best authenticator app
- We’ve rounded up the best password managers