The North Face outdoor apparel brand is alerting customers about a recent credential stuffing attack in which the threat actor gained access to some personally identifiable information.
The global retailer's parent company, VF Corp, sent out a notification letter to customers on May 30th, stating that it had first discovered unusual activity involving The North Face website on April 23rd, 2025.
“Following a careful and prompt investigation, we concluded that an attacker had launched a small-scale credential stuffing attack against the site," the company said, noting that they were not beholden by law to do so, but take the protection of customer data seriously.
The "courtesy notification" did not say how many customers may have been impacted in the attack. Cybernews has reached out to VF Corp, but the company has not responded at the time of this report.
In a credential stuffing attack, a bad actor will typically gain unauthorized access to a user’s account by taking login credentials that are often sold or traded on the dark web after being acquired by hackers from other breaches. The attackers, rightly so, bet on the account holders using the same username and passwords for more than one account.
“Credential stuffing relies on the widespread problem of password reuse to gain access to online accounts,” said Benjamin Fabre, CEO and Co-founder of DataDome, pointing out that “81% of individuals reuse the same or similar passwords for multiple accounts.”
Because of this, "it is easy for malicious threat actors to find valid login and password combinations using a list of leaked credentials," the CEO explained.
Fabre further said that these types of breaches "often go undetected" for an extended period of time, because "logging into a customer account is not necessarily a suspicious action."
“It’s within the business logic of any website with a login page,” he said.
Customer payment data spared
According to VF Corp, no customer payment data was accessed in the breach. “Payment card (credit, debit, or stored value card) information was not compromised. The attacker could not view your payment card number, expiration date, or your CVV (the short code on the back of your card),” it said.
VF Corp said in the notice that it does not keep a copy of that information on its website; instead, it only retains a “token” linked to the user’s credit card. It stressed that the token “cannot be used to initiate a purchase anywhere other than on our Website,” adding that all payments are processed by an outside third-party.
Still, Fabre warned customers that even though linked bank accounts and credit cards were not accessed in this attack, once a hacker is inside a user’s account, they can use that personal data for identity theft.
Here is the list of custiomer information stored in North Face accounts that may have been compromised:
- First and last name,
- Date of birth (if you saved it to the account),
- Telephone number (if you saved it to the account).
- Email address,
- Products purchased on The North Face website
- Shipping address(es),
- Preferences.
"Hackers can get started with credential stuffing by investing as little as $500," Fabre told Cybernews.
Five hundred dollars will buy a threat actor an entire credential stuffing kit, including “‘account checking’ software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation,” Fabre said.
“Today’s automated credential cracking and credential stuffing tools are designed to check hundreds of thousands of credential combinations against multiple websites,” he noted.
VF Corp customers are no strangers to company breaches
The North Face is a subsidiary of the Denver-based conglomerate VF Corporation (VF Corp), alongside other name brands including Vans, Adidas, Timberland, and more.
VF Corp, one of the world’s largest apparel, footwear, and accessories companies, also suffered a major ransomware attack in December 2023, impacting the personal data of over 35 million customers worldwide.
The attack, claimed by the ALPHV/BlackCat ransomware gang, caused significant disruption at its thousands of global retail stores, brand e-commerce sites, and distribution centers during the busy holiday season.
The North Face was also hit by another credential stuffing attack back in 2022, impacting close to 200,000 customers.
As in the most recent breach, The North Face explained to customers their payment data was not accessed by the attackers due to the fact it is not stored anywhere in the compnay's systems.
VF Corp strongly suggests its customers change the passwords to their The North Face accounts, as well as all other online accounts with the same login information, and in the future, never reuse passwords.
Your email address will not be published. Required fields are markedmarked