Outdoor Retailer The North Face Reports Customer Data Exposed in Credential Stuffing Attack
Outdoor apparel giant The North Face is notifying customers of a data breach following a credential stuffing attack on its website that occurred on April 23, 2025. According to a notification shared with the Vermont Attorney General’s office, the company detected unusual activity on its site and determined it stemmed from an automated attempt to gain unauthorized access using previously compromised credentials.
“On April 23, 2025, we discovered unusual activity involving our website, thenorthface.com, which we investigated immediately,” the notice states.
“Following a careful and prompt investigation, we concluded that an attacker had launched a small scale credential stuffing attack against our website.”
Credential stuffing is a tactic where threat actors exploit reused usernames and passwords from prior data breaches. If users do not enable multi-factor authentication (MFA), attackers are often successful in accessing their accounts—even with old credentials.
The North Face, a subsidiary of VF Corporation, generates over $3 billion annually, with e-commerce contributing nearly 42% of that revenue. Despite its market scale, the company has now suffered four credential stuffing incidents since 2020.
What Data Was Compromised in the April Incident
The compromised data in the April 2025 breach includes:
- Full name
- Purchase history
- Shipping address
- Email address
- Date of birth
- Telephone number
The company clarified that no payment card data was exposed. Payments are processed externally, and The North Face does not retain card details—only the token required for transaction authorization.
A Pattern of Repeated Credential-Based Breaches
This latest breach adds to a growing list of cybersecurity incidents involving The North Face. Earlier in 2025, parent company VF Outdoor reported a similar credential stuffing event affecting both thenorthface.com and timberland.com, which exposed data from approximately 15,700 customer accounts.
Past credential-based attacks were also reported in:
- November 2020 and September 2022 — affecting over 200,000 customers
- December 2023 — a major ransomware attack that impacted 35 million customer records
The recurring nature of these events highlights the persistent risks posed by password reuse and the absence of mandatory multi-factor authentication for user accounts.
As of now, The North Face has not disclosed the total number of customers impacted in the April 2025 breach. The company has been contacted for additional details but has not yet responded.
Enterprise businesses are urged to examine the case as a cautionary example. Organizations handling user data at scale should consider enforcing MFA, monitoring for credential stuffing attempts, and continuously educating users about password hygiene to prevent similar outcomes.
