- The north face has notified customers a data violation
- Computer pirates made a credential filling attack on their website and violated customer accounts
- They stole names, addresses and telephone numbers
The North Face has confirmed the suffering of a credential filling attack through which cybercriminals exfiled the client’s confidential information.
The outdoor clothing and equipment company has presented a new notice to the Vermont Attorney General that also included the data violation notification letter sent to the affected customers.
In the letter, the company said it discovered “unusual activity” on its website on April 23, 2025. The subsequent research showed that an unidentified attacker made a “small -scale credential filling attack”, using login credentials obtained in another place, probably bought in the dark network.
INTACT PAYMENT INFORMATION
“Credential filling attacks can occur when people use the same authentication credentials on multiple websites,” said North Face. “We encourage all our clients to use a unique password on our website.”
The criminals left the people’s shipping addresses, preferably information, email addresses, full names, birth dates and telephone numbers.
“Payment card information (credit, debit or stored value card) did not compromise on our website,” the company added.
“The attacker could not see his payment card number, expiration date or his CVV (the short code on the back of his card).”
As North Face explained, no payment data were taken because they are not being stored on their servers. The company only retains a token linked to the payment card, while the payment processor retains the details.
“Token cannot be used to start a purchase anywhere that is not on our website. Consequently, your credit card information is not at risk as a result of this incident.”
The north face also said that notifying customers was not necessary, given the nature of stolen information, but still decided to do it “by great caution.” Even so, the names, the birth dates, the postal addresses and the telephone numbers are more than enough information to create personalized and conventional phishing emails that can result in identity theft, theft of payment information and fraud to the cable, identity theft and more.
Through Bleepingcomputer
