The North Face Reports April Credential Stuffing Attack, the Fourth Since 2020

• The website of the clothing brand The North Face was targeted with credential stuffing last month.
• Exposed data includes names, shipping addresses, email addresses, dates of birth, telephone numbers, and more.
• Payment details remain secure as transactions are handled by an external provider.

Outdoor apparel giant The North Face has issued a fresh warning to customers following a credential stuffing attack on its website in April 2025. The company moved quickly to investigate and has begun notifying affected users.

The North Face, owned by VF Corporation, discovered and confirmed on April 23 that malicious actors had conducted a small-scale credential stuffing attempt targeting customer accounts. 

This event is not isolated. The North Face and its parent company have experienced a series of credential stuffing and ransomware incidents since 2020. 

According to a notice filed with the Vermont Attorney General, the data exposed in this incident includes full names, purchase history, shipping addresses, email addresses, dates of birth, and telephone numbers. Critically, payment details remain secure as transactions are handled by an external provider.

Previous attacks in March 2025 and in 2020, and 2022 have impacted thousands, with the most significant being a December 2023 ransomware breach affecting 35 million customers across VF Corp’s brands.

Addressing the repeated targeting of the same company, Ben Hutchison, Associate Principal Consultant at Black Duck, stated, “This could be due to new attackers perceiving the sector as vulnerable, while previous attackers may be intensifying their efforts to maximize their gains or cause damage, depending on their motivations."

To optimize security, Agnidipta Sarkar, Chief Evangelist at ColorTokens, shared, ”It is time they adopted zero trust mechanisms to stop lateral movement, using best-in-class microsegmentation tools immediately, especially those that are hyper-focused on stopping the proliferation of breaches.”

The breach announcement once again spotlighted the persistent security risks of password reuse and inadequate multi-factor authentication (MFA) enforcement. James Maude, Field CTO at BeyondTrust, further elaborated, 'In general, the retail sector can find themselves caught in tradeoffs where their focus is on making it as easy as possible to buy an item, not making it as secure as possible. Nobody wants to prompt a customer to pass an MFA challenge that might make them think twice about an impulse purchase.”

Credential stuffing, a method where attackers use automated tools and previously compromised username-password pairs from unrelated data breaches, continues to be a prevalent attack vector across e-commerce. 

Each time, attackers leveraged credential recycling, targeting users who reused passwords across multiple sites. While MFA would mitigate the effectiveness of these attacks, its absence continues to expose customer data.

Offering advice on mitigating risks, Haviv Rosh, Chief Technology Officer at Pathlock, commented, “One lesson companies should learn is that MFA is no longer a “nice-to-have” option — it is a necessity, especially for critical applications. This is particularly evident given that one of the incidents resulted from a successful credential stuffing attack.”