Cyber Incident Victim: VF Corporation
Date:
Apr 2025
Location:
United States of America
Summary
VF Outdoor, LLC,operating as The North Face, discovered unusual activity on its website that was identified as a credential stuffing attack using credentials obtained from another source. The attacker gained access to user accounts and could view information such as email addresses, names, shipping addresses, preferences, dates of birth, and phone numbers, but payment card details were not exposed because only tokens are stored. In response, the company disabled the compromised passwords and required affected users to create new credentials. The incident was deemed not legally required to be reported as a data breach, but notice was provided voluntarily.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 23,2025, VF Outdoor, LLC doing business as The North Face discovered unusual activity involving its website thenorthface.com. The company conducted an immediate investigation. The investigation concluded that an attacker had launched a small‑scale credential stuffing attack against the website on that date. A credential stuffing attack involves using account authentication credentials obtained from another source to gain unauthorized access to user accounts. The attacker is believed to have previously obtained email addresses and passwords from a breach unrelated to VF Outdoor and then used those credentials to access accounts on thenorthface.com.
Based on the investigation, the attacker may have accessed information stored on affected accounts. This information could include the account holder’s email address, first and last name, date of birth if saved to the account, telephone number if saved, shipping address(es), account preferences, and a record of products purchased on the website. The attacker did not obtain payment card numbers, expiration dates, or CVV codes because VF Outdoor does not store full payment card details on the website; only a token linked to the payment card is retained, with the actual card data held by a third‑party payment processor. Consequently, payment card information was not compromised in this incident.
Upon discovering the incident, VF Outdoor disabled passwords on the website, which required users to create a new password upon their next login. The company sent a voluntary notice to affected customers out of an abundance of caution, even though it determined that the incident did not trigger a legal obligation to notify under applicable law. The notice included a telephone number for customers to call for further information about the incident.