Hackers have hit an outdoor apparel company, The North Face. A credential stuffing attack cost the company data of 194,905 of its customers.
The North Face issued a notification to affected users, saying an unusual activity on the company’s website prompted an investigation concluding hackers carried out a credential stuffing attack.
Hackers often use credentials obtained from leaked databases to carry out this type of attack. Cybersecurity experts advise using multiple passwords precisely to avoid credential stuffing attacks, where cyber criminals reuse old credentials.
According to The North Face, the company believes threat actors had user login and password information to access their accounts.
Once inside, threat actors could access a wide array of personal information, such as users’ billing address, shipping address, name and surname, email address, date of birth, phone number, and gender.
However, the company denied hackers could have accessed any payment data, as The North Face claims they do not keep copies of payment card details on their website.
“We only retain a “token” linked to your payment card, and only our third-party payment card processor keeps payment card details. The token cannot be used to initiate a purchase anywhere other than on thenorthface.com,” the company said in a statement.
The company also said it deleted payment tokens and reset user passwords upon learning about the attacks.
Cheap and damaging
According to Antoine Vastel, Head of Research at cybersecurity firm DataDome, the process is cheap and automated.
“Hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing software, access to email and password combo lists, and the use of both public and private proxy services to distribute their attack across thousands of IP addresses to bypass traditional rate limiting techniques,” Vastel told Cybernews.
Modern credential stuffing attacks are a number game. With automated tools, threat actors can check hundreds of thousands of credentials on several websites at a time.
There’s a whole ecosystem working to accommodate attackers. According to the FBI, criminals advertise stolen credentials on publicly accessible forums.
“If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions […],” FBI’s notification reads.
More from Cybernews:
Subscribe to our newsletter