Unauthorized Logins Trigger Breach Investigation at The North Face
Outdoor apparel retailer The North Face is alerting its customers after detecting a credential stuffing attack in April 2025. The attack resulted in unauthorized access to customer accounts, potentially exposing personal information. VF Corporation, The North Face’s parent company, issued notification letters on May 30, following internal investigations that began on April 23.
“Following a careful and prompt investigation, we concluded that an attacker had launched a small-scale credential stuffing attack against the site,” VF Corp stated.
The company clarified that this notification was voluntary and not driven by regulatory requirements. No exact number of impacted accounts was shared.
How Credential Stuffing Worked in This Case
Credential stuffing is a method where attackers use previously breached login credentials to gain access to user accounts on different platforms. These credentials are often obtained from dark web marketplaces and reused under the assumption that users recycle their passwords across multiple services.
Benjamin Fabre, CEO of bot protection firm DataDome, said:
“Credential stuffing relies on the widespread problem of password reuse to gain access to online accounts.”
According to Fabre, 81% of users reuse passwords or variations of the same password, making it easy for attackers to access multiple services once they’ve acquired one valid set of credentials.
“These types of breaches often go undetected for an extended period of time,” he added, since “logging into a customer account is not necessarily a suspicious action.”
Customer Data Exposed, But Payment Information Remains Safe
The North Face confirmed that no credit card or banking data was accessed. The retailer emphasized that it does not store payment card details on its website.
“Payment card (credit, debit, or stored value card) information was not compromised. The attacker could not view your payment card number, expiration date, or your CVV,” the company said.
Instead, VF Corp uses tokenization to handle payment data. These tokens are only valid for purchases made through The North Face’s website and cannot be used elsewhere.
Still, attackers did manage to access personal information from user accounts, including:
- First and last names
- Email addresses
- Date of birth (if saved)
- Telephone number (if saved)
- Shipping addresses
- Products purchased
- Account preferences
Though financial data was protected, Fabre warned that access to this type of information could enable identity theft or further targeted attacks.
Low Cost, High Impact: The Economics of Credential Stuffing
Fabre explained that credential stuffing attacks can be launched with minimal investment. For as little as $500, threat actors can purchase:
- Combo lists of email and password pairs
- Credential checking software
- Proxy services for hiding their origin
“Today’s automated credential cracking and credential stuffing tools are designed to check hundreds of thousands of credential combinations against multiple websites,” he noted.
Repeat Breaches Across VF Corp’s Brands
This isn’t the first time The North Face has dealt with credential stuffing. In 2022, the company disclosed a similar incident affecting nearly 200,000 customer accounts.
VF Corporation as a whole has also faced broader cybersecurity challenges. In December 2023, the company experienced a significant ransomware attack that disrupted operations and exposed the personal data of more than 35 million customers. The ALPHV/BlackCat ransomware group claimed responsibility.
VF Corp owns several global brands including Vans, Timberland, and JanSport. Given its portfolio, repeated cyberattacks pose a considerable threat to its customer base and retail operations.
Company Advises Immediate Password Changes
In its notification, VF Corp urged customers to:
- Change their passwords for The North Face account
- Avoid reusing passwords across different platforms
- Update any accounts where similar login details are used
While the incident is described as “small-scale,” the potential risks tied to reused passwords and unauthorized access make credential stuffing a persistent threat—especially for high-profile retail brands managing large volumes of customer data.
