The North Face, in an email to some of its customers, stated that the company had discovered a “small-scale” cyberattack in April of this year and that an unauthorized party may have stolen some of their personal information but not their financial information, which the company processes through a third-party.
According to The North Face, the perpetrators employed a method known as “credential stuffing,” a type of cyberattack where threat actors attempt to gain unauthorized access to user accounts by automating login attempts using username/password pairs previously exposed in data breaches. The technique is possible due to “credentials recycling,” when consumers use the same username and password across multiple online services.
The North Face, a VF Corp. brand, indicated that by using this form of cyber attack, it is possible the perpetrators accessed certain customer information, including shipping addresses and records of past purchases.
The company filed a Notice with the Vermont Attorney General’s Office stating in brief, “Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from us) and then used those same credentials to access your account on our website.”
“We strongly encourage you not to use the same password for your account at our website that you use on other websites. If a breach occurs on one of those other websites, an attacker could use your email address and password to access your account at our website.”
To read the complete Notice, go here.
Image courtesy The North Face
