The North Face hit by another credential stuffing attack in April

The outdoor brand is notifying customers after detecting suspicious login activity that exposed personal information.

What happened

The North Face, a major outdoor apparel retailer owned by VF Corporation, has confirmed a data breach caused by a credential stuffing attack on its website on April 23, 2025. According to a breach notification filed with the Vermont Attorney General, the company detected unusual login behavior and quickly launched an investigation, concluding that attackers had used previously stolen credentials to access customer accounts.

Exposed data includes customers’ full names, email addresses, shipping addresses, phone numbers, birthdates, and purchase history. No payment information was accessed, as payments are processed externally and do not involve stored credit card data.

Going deeper

Credential stuffing is a type of cyberattack that uses automated tools to test large volumes of stolen username-password pairs against login pages. The success of these attacks often stems from users reusing the same credentials across multiple sites. Accounts protected by multi-factor authentication (MFA) are significantly harder to breach in this manner.

The April attack is The North Face’s fourth credential stuffing breach since 2020. A previous incident in March 2025 impacted both The North Face and Timberland websites and exposed 15,700 accounts. Larger attacks were disclosed in 2020 and 2022, while a major ransomware attack in 2023 affected 35 million customers.

What was said

In its customer notification, The North Face explained it had responded promptly to the suspicious activity and determined the incident was limited in scale. The company reiterated that no financial data was compromised due to its reliance on external payment providers.

BleepingComputer reached out to the company for further comment, including the number of accounts affected, but had not received a response at the time of reporting.

The big picture

Repeated credential stuffing incidents indicate that The North Face’s existing account security controls, particularly the lack of mandatory multi-factor authentication, may not adequately protect its large user base. With more than 40% of revenue coming from online sales, sustained attacks on the e-commerce platform present both reputational and operational concerns. 

FAQs

What is multi-factor authentication (MFA), and why does it matter here?

MFA adds an extra layer of security by requiring a second form of verification, like a phone code beyond just a password, making credential stuffing attacks far less effective.

Why are attackers targeting The North Face repeatedly?

The brand’s large customer base, valuable personal data, and history of MFA not being enforced universally make it a recurring target for automated login attacks.

How can I check if my account has been affected?

Customers should monitor emails from The North Face for breach notifications and check their login activity on the site. They can also contact customer support for confirmation.

What should customers do if they think their account was accessed?

Change your password immediately, especially if you reused it elsewhere, and enable MFA if available. Consider using a password manager to generate unique credentials.

Has The North Face committed to improving its security policies?

As of now, the company has not publicly stated any changes to its security protocols, including whether MFA will be enforced in the future.