The North Face has reset the passwords of an undisclosed number of customers who shop on its online store after the outdoor retail giant suffered a credential stuffing attack at the beginning of October.
Credential stuffing is a technique employed by cybercriminals where username and password combinations from a previous data breach or data leak are used to try and access a user’s other online accounts. These types of attacks are particularly effective against those who reuse their credentials across multiple sites and services online.
According to a notice sent out to affected North Face customers, the attackers were able to access a variety of personal information on its users including their names, birthdays, telephone numbers, billing and shipping addresses, purchased or favorite products and email preferences.
Thankfully though, no credit or debit card information was accessible to those behind the credential stuffing attack as this information is not stored on North Face’s website.
Credential stuffing attack
In the notification sent out to affected customers, North Face explained that it was warning users affected by the credential stuffing attack despite the fact that the attackers did not obtain enough information for the company to be required to notify them of a data breach, saying:
“Based on our investigation, we believe that the attacker previously gained access to your email address and password from another source (not from The North Face) and subsequently used those same credentials to access your account on thenorthface.com. We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution.”
Once North Face detected suspicious activity on its website, the company implemented a series of security measures aimed at limiting the account login rate from suspicious sources as well as those showing a suspicious pattern. It then deleted all tokens associated with customer’s credit and debit cards on its website.
Users impacted by the credential stuffing attack will need to update their payment information and create new passwords the next time they visit North Face’s online store.
While the attack could have been much worse, it still serves as a reminder for users to always create strong, unique passwords for all of their accounts. This can easily be done using a password generator though many password managers also now include the ability to automatically generate strong, unique passwords as well.
Via BleepingComputer