Cyber Incident Victim: VF Corporation

On October 9, 2020, The North Face detected unauthorized access to customer accounts resulting from a credential-stuffing attack. Attackers leveraged usernames and passwords previously stolen from an unspecified third-party website to compromise accounts on the company’s e-commerce platform. The breach exposed customer-specific data, including purchase histories, items saved to favorites, billing and shipping addresses, full names, dates of birth, telephone numbers, email communication preferences, and loyalty program point balances. The company confirmed payment card details remained unaffected, as it does not store such information. While The North Face asserted the incident did not legally mandate breach notifications under applicable regulations, it proactively informed impacted customers out of caution. Evidence suggested attackers potentially executed unauthorized purchases using compromised accounts, though the scale of fraudulent transactions was not disclosed.

In response, The North Face initiated password resets for affected accounts to terminate unauthorized access. The company committed to refunding all fraudulent purchases attributed to the attack. It advised customers against password reuse across multiple websites, emphasizing that credentials exposed in unrelated breaches could facilitate future account takeovers. Additionally, The North Face implemented enhanced monitoring to identify patterns indicative of credential-stuffing activity, aiming to block similar attacks proactively. Customers were cautioned to scrutinize communications purporting to originate from the brand, as attackers might leverage stolen data for phishing campaigns. No forensic findings regarding attacker identity, infrastructure, or specific third-party sources of compromised credentials were disclosed publicly.