US outdoor fashion retailer The North Face has suffered a large-scale credential-stuffing attack that led to the unauthorized access of nearly 200,000 customer accounts.
The attack on the retailers’ e-commerce website began in late July. However, the brand says it detected unusual activity much later.
“On August 11, 2022, we detected unusual activity on our website, thenorthface.com,” the retailer said in a letter to impacted shoppers. “Following a careful investigation, we concluded that attackers launched a credential stuffing attack against our website, thenorthface.com, between July 26 and August 19, 2022.”
Password recycling to blame
In credential stuffing attacks, cybercriminals use email/usernames and password combos from data breaches and leaks to take over user accounts on other online platforms. Their success relies solely on users’ poor password management – mainly password reuse.
Attackers gain access to customers’ info
The notification also warns that threat actors may have stolen an extensive list of personally identifiable information (PII) stored in compromised customer accounts, including:
· Full names and gender
· Telephone numbers and billing and shipping addresses
· Account creation date and purchase history
· XPLR Pass reward records
Luckily, payment information such as credit card data was not involved in the breach.
“We do not keep a copy of payment card details on thenorthface.com,” the company explained. “We only retain a “token” linked to your payment card, and only our third-party payment card processor keeps payment card details.”
In response to the breach, the company reset all user passwords and removed any payment card tokens for any accounts accessed during the attack.
This isn’t the first credential stuffing attack on the retailer’s website. In November 2020, The North Face disclosed its first data breach in which previously compromised user credentials were leveraged to access customer data.
Shoppers are urged to closely monitor their accounts for suspicious activity and reset passwords for all other accounts that used the same combination of credentials to avoid any additional compromise of data.
How Bitdefender can help
Using unique and strong passwords when setting up an online account is critical. Bitdefender offers an extensive list of privacy- and security-focused solutions to help you manage and protect your online accounts and identity and stay on top of the best security practices.
With Bitdefender Password Manager, you can say goodbye to password management oversights. Subscribers to our multi-platform tool get the strongest known cryptographic algorithms to help secure and manage all online passwords, and the ability to create complex passwords that meet the highest security standards on all major operating systems.
You can opt for our standalone Password Manager service or grab it in our 3-in-1 security and privacy pack alongside our best-in-class security solution and Premium VPN service for maximum online protection.
If you are struggling to remember all of the online accounts created over the years, and you’re not sure whether your information was part of a data breach or leak, check out Bitdefender’s Digital Identity Protection. You can find old accounts linked to up to 5 email addresses, manage your digital footprint and stay on top of data breaches with 24/7 alerts.