the north face credential stuffing attack

The North Face has reset an undisclosed number of customer accounts after detecting a credential-stuffing attack on its website.

The North Face has reset its customers’ passwords after attackers launched a credential-stuffing attack against the popular outdoor outfitter’s website.

In a recent data-breach notification, the company told customers that it was alerted to “unusual activity involving its website,” thenorthface.com, on Oct. 9. There, customers can buy clothing and gear online, create accounts and gain loyalty points as part of its “VIPeak Rewards Program.” After further investigation, The North Face concluded that attackers had launched a credential-stuffing attack against its website from Oct. 8 to Oct. 9.

Credential stuffing is accomplished by hackers who take advantage of people who reuse the same passwords across multiple online accounts. Credential-stuffing attackers typically use IDs and passwords stolen from another source, such as a breach of another company or website, which they then try to use to log in to other accounts — thus gaining unauthorized access. The process is often automated, and cybercriminals have successfully leveraged the approach to steal data from various popular companies, including hitting donut shop Dunkin’ (in fact two times in three months).

“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from The North Face) and subsequently used those same credentials to access your account on thenorthface.com,” according to the data breach notification.

The North Face is the U.S. market leader in the outdoor clothing and accessories sector, according to StatSocial, pulling in more than $2 billion of the industry’s $4 billion annual earnings in 2019. The North Face did not disclose how many customers were impacted by the attack, but it could be considerable: According to SimilarWeb, the website received 6.96 million website visitors in October.

Threatpost has reached out to The North Face for clarification.

Beyond customers’ email addresses and passwords, cybercriminals may have accessed information stored on customers’ accounts at thenorthface.com. This includes details on products that have been purchased on the company’s website, items that have been saved to “favorites,” as well as customers’ billing addresses, shipping addresses, loyalty point totals, email preferences, first and last names, birthdays and telephone numbers – all data that is ripe for abuse when it comes to developing social-engineering tricks for phishing attacks.

The North Face does not keep a copy of payment-card data (including credit, debit or stored value cards) on thenorthface.com – meaning attackers were not able to view payment-card numbers, expiration dates or CVVs.

The North Face said that once it became aware of the incident, the company implemented measures that limit account logins from sources that are suspicious or in patterns that are suspicious.

“As a further precaution, we disabled all passwords from accounts that were accessed during the timeframe of the attack,” according to the company. “We also erased all payment-card tokens from all accounts on thenorthface.com. As such, you will need to create a new (unique) password and enter your payment-card information again the next time you shop on thenorthface.com.”

Because so many consumers re-use their passwords, credential-stuffing attacks continue to be a popular way for cybercriminals to access victims’ accounts. In October, for instance, diners at popular chicken-dinner chain Nando’s saw hundreds of dollars being siphoned out of their bank accounts after cybercriminals were able to access their restaurant ordering credentials. And earlier in February, FC Barcelona’s official Twitter account was hacked in an apparent credential-stuffing attack

The North Face encouraged customers to ensure that they use unique passwords and don’t repeat their passwords in general.

“Credential-stuffing attacks can occur when individuals use the same authentication credentials on multiple websites, which is why we encourage you to use a unique password on thenorthface.com,” said the company.

Hackers Put a Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.