North Face, a part of VF Corporation, has been hit by a cyberattack resulting in some personal data being compromised.
In an announcement to customers, the company’s VF Outdoor division said at the end of April a “credential stuffing” technique was used to access the personal information of customers, gaining access to information such as products purchased on The North Face website, and information stored on the website that could include customers’ names, addresses, phone number and date of birth.
Credential stuffing is a type of cyberattack where the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the passwords used. This information is then used to try to gain access to other websites. Most at risk, therefore, are people who use the same password across multiple sites.
In an email to affected customers, VF Outdoor/North Face said: “Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our Website.”
The company stressed that no credit card information was accessed, as this is dealt with by another site.
“Payment card (credit, debit, or stored value card) information was not compromised on our Website. The attacker could not view your payment card number, expiration date, or your CVV (the short code on the back of your card). This is because we do not keep a copy of that information on our Website,” the email stated.
The company, which owns several clothing brands, including Timberland, Dickies and Vans, urged North Face customers to change their passwords, strongly suggesting this is a unique password not used on any other site.
Colorado-based VF Corp. also suffered a ransomware attack in December 2023, an incident that led to more than 35 million customers of its Vans brand being affected globally. It is believed that up to 3,000 customers were affected by the latest incident.
