Outdoor apparel retailer The North Face is warning customers that their personal information was stolen in credential stuffing attacks recently. These attacks specifically targeted the company’s official website, thenorthface.com, during the month of April 2025 for malicious exploitation. The North Face is a major American outdoor brand owned by VF Corporation, which also controls Vans, Timberland, and popular Dickies. This well-known company generates over $3 billion in annual revenue, making it one of the largest outdoor brands existing globally. Credential stuffing attacks involve threat actors using username-password pairs previously exposed in other data breaches to gain unauthorized account access.
The North Face has now begun sending data breach notifications to all impacted customers regarding this particular security incident they discovered.
A sample notice was shared with the Vermont Attorney General informing that the company recently suffered this specific credential stuffing attack. On April 23, 2025, The North Face first discovered unusual activity involving its website, which was then investigated immediately by their team. Following a careful and prompt internal investigation by their security experts, they concluded an attacker launched a credential stuffing attack. Exposed data includes full names, detailed purchase histories, shipping addresses, email addresses, birth dates, and also customer telephone contact numbers.
It is very important to note that sensitive payment card information was not exposed during this specific security breach incident at all.
This is because an external third-party provider very securely handles all online payments made on The North Face e-commerce website. The company itself does not retain any payment details, except for a token required for the transaction process to successfully complete. However, this is unfortunately the fourth credential stuffing incident the brand’s popular website has suffered since the beginning of year 2020. Their decision not to enforce multi-factor authentication on all customer accounts has now come at a rather significant cost unfortunately.
Earlier this current year, its parent company, VF Outdoor, also informed customers of a credential stuffing attack impacting thenorthface.com and timberland.com. That specific incident discovered on March 13, 2025, unfortunately exposed approximately 15,700 customer accounts to unauthorized access by attackers. Two other similar credential stuffing incidents were previously disclosed by the company in November 2020 and also in September of 2022. Those earlier security breaches collectively impacted over 200,000 customers of The North Face, clearly showing a recurring pattern of such attacks. The most severe past incident hitting The North Face was a December 2023 ransomware attack impacting 35 million customers.
Reference:
