The North Face Suffers a Credential Stuffing Attack - Resets User Passwords
Table of Contents
- By Dawna M. Roberts
- Published: Nov 16, 2020
- Last Updated: Mar 18, 2022
Outdoor sporting gear giant The North Face suffered a major credential stuffing attack in early October and, as Threatpost and Binary Defense reported last week. The North Face forced a password reset for an undisclosed number of customer accounts after they discovered a massive credential stuffing attack on October 8-9th. The sizeable retail outfit has almost 7 million online customers, so it’s anyone’s guess how many are actually affected.
What is Credential Stuffing?
After numerous data breaches from all different types of companies, the dark web is littered with dozens of databases full of usernames and passwords for various accounts. Hackers and thieves use a technique called “credential stuffing,” where they run automated software to reuse these stolen credentials on other websites. Credential stuffing works because many people use the same login credentials on multiple websites, a practice frowned upon by cybersecurity professionals.
Numerous other hacking incidents have involved credential stuffing, and although it appears this was not a major incident, with previous attacks, many customers’ bank accounts have been drained after hackers gained access to bank accounts and credit logins.
In a notice to customers, The North Face explained, “Credential-stuffing attacks can occur when individuals use the same authentication credentials on multiple websites, which is why we encourage you to use a unique password on thenorthface.com.”
What Did Hackers Get?
In this latest data breach, The North Face admitted that attackers got away with customer names, phone numbers, email addresses, billing and shipping addresses, birthdates, purchase history, loyalty points, and other details. However, they assured customers that no credit or debit card numbers, expiration dates, or CVVs, were impacted because they are not stored on the same server. However, the information stolen was enough for identity thieves to get a foothold.
According to TripWire, thieves were able to make some unauthorized purchases on hacked accounts. The North Face has promised to refund any affected customer for any purchases made on their accounts due to this incident.
How Did The North Face Respond?
The North Face sent out a data breach notification to all affected customers. In it, they said The North Face “does not believe the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution.”
North Face’s IT department detected unusual activity with logins and immediately took action implementing new security protocols limiting logins from suspicious sources. These further steps include pattern monitoring to flag malicious behavior on the website.
Even though The North Face assured customers that payment data was protected, they took further steps by removing payment information from their system and have asked customers to enter it in fresh with new purchases.
Added Dangers
In their data breach statement, The North Face warns customers, “We strongly encourage you not to use the same password for your account at thenorthface.com that you use on other websites because if one of those other websites is breached, your email address and password could be used to access your account at thenorthface.com.”
The North Face is also concerned about cyber criminals trying to email affected customers using phishing tactics with emails that appear to be from them. They warn users not to be fooled and to change their passwords immediately.
Tips to Avoid Being Affected by Credential Stuffing
Along with never reusing the same email/username and passwords on multiple websites, threat experts suggest the following tips to stay safe from credential stuffing and other forms of identity theft and fraud.
- Never use the same credentials (usernames/passwords) on multiple websites.
- Use strong, complex passwords with a combination of letters, upper and lowercase letters, and numbers, plus symbols, including spaces. This makes it very difficult for hackers to crack them.
- Invest in a good password vault to create passwords for you and keep all your logins safe. These tools can also warn you about data breaches and weak passwords.
- Keep all your devices updated with security patches and antivirus/anti-malware software.
- Always opt for two-factor authentication on websites that offer it. This way, if anyone logs into your account, they won’t be able to get in without entering a text or email code.
- Turn on multi-factor authentication on your devices (things like FaceID and Touch ID). Biometrics offers an additional layer of security.
- Watch out for phishing emails after a data breach where your email address was involved.
- Never click any links in an email.
- Keep a close eye on bank accounts, credit cards, and credit reports, especially after a data breach.
Use common sense when setting up new accounts and think proactively about what you could lose if you don’t take a few extra seconds to come up with a unique login.
