An undisclosed number of customers of outdoor clothing retailer The North Face have had their passwords reset by the company, following a credential-stuffing attack.
The company has revealed that on October 9, 2020, it became aware that hackers had used usernames and passwords stolen from a third-party website to gain unauthorised access to customer accounts.
In a data breach notification sent to affected customers, The North Face explained that the hackers may have gained access to account information - including products previously purchased on its website, products that have been saved to "favorites", billing and shipping addresses, names, birthdays, telephone numbers, email preferences, and loyalty point totals.
Fortunately, The North Face does not store payment card details and so the firm is confident that that credit card information is not at risk.
The North Face says that it "does not believe the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution."
Nonetheless, it does sound as if some unauthorised purchases may have been made as a result of the security breach. The North Face told Bleeping Computer that it will offer full refunds for any purchases made by the hackers.
Credential-stuffing attacks exploit the fact that many people make the mistake of using passwords that they had previously used elsewhere on the internet. (As I say over-and-over again, you should never reuse your passwords. It’s a recipe for disaster.)
The North Face agrees:
We strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites, because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com.
The company warns users to be on their guard against phishing attacks which pose as legitimate communications from The North Face, and has reset the passwords of affected users.
In addition The North Face says it has introduced measures to spot suspicious activity which might signify a credential-stuffing attack in future.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
