Credential Stuffers Scaled The North Face to Access Accounts

Outdoor clothing giant The North Face has notified customers that it has been hit by a credential stuffing attack which may have given third parties access to their personal information.

In a data breach notice filed with the Californian Office of the Attorney General (OAG), the San Francisco-headquartered firm claimed that the brute force attack had been launched against its site on October 8-9.

A credential stuffing attack occurs when cyber-criminals use automated software to try previously breached log-ins across a large range of sites: they’ll be able to access accounts where the individual has reused their password.

Fortunately, The North Face uses tokenization to obfuscate customer card details, but customers’ personal information  may have been accessed in the incident.

“Based on our investigation, we believe that the attacker obtained your email address and password from another source and may have accessed the information stored on your account at thenorthface.com, including products you have purchased on our website, products you have saved to your ‘favorites,’ your billing address, your shipping address(es), your VIPeak customer loyalty point total, your email preferences, your first and last name, your birthday (if you saved it to your account), and your telephone number (if you saved it to your account),” the noticed read.

As a precaution, the firm deleted all payment card tokens on the site, limited logins from suspicious sources and disabled all passwords from accounts compromised in the attack. Affected customers will need to create new passwords and re-enter payment card details, it said.

“We strongly encourage you not to use the same password for your account ..

Support the originator by clicking the read the rest link below.