The North Face Disables Shopper Account Passwords after Credential-Stuffing Attack – HOTforSecurity

The attack on The North Face forced an American field sales company to disable the account passwords of an unknown number of online shoppers.

According to the infringement notification letter sent to the customers concerned, the incident was discovered last month. The 9th. In October 2020, we were warned of unusual activities related to our website, which prompted us to launch an immediate investigation, according to the report. After a thorough investigation we came to the conclusion that on 8 and 9 October 2020 an attack was launched on our website to feed personal data.

In the case of identity theft attacks, cybercriminals use data already disclosed or hacked (username and password) to access additional Internet accounts and remove sensitive data such as credit cards and personal information.

In most cases, attacks that use the same username and password to set up different accounts on the Internet occur when people use the same combination of username and password.

Based on our research, we believe that the attacker previously accessed your email address and password from another source (not The North Face) and then used the same information to access your account at

The information that criminals have access to includes

– Products purchased from
– Products stored in the favourites section of the account
– Billing and shipping address
– VIPeak Loyalty Point only
– Preferred email
– First and last name
– Date of birth (if entered and stored in the account)
– Phone number (if entered and stored in the account)

The merchant emphasized that no credit card details are at risk. The intruder could not see your payment card number or expiration date, nor your CVV (short code on the back of the card), because we do not keep a copy of this information on, said The North Face. We only store the token that we have linked to your payment card and only our external payment card processor stores the payment card data. The token can not be used anywhere other than on to initiate a purchase.

In order to protect the personal data of customers, all passwords for user accounts to which were transferred on the 8th and 9th day of the fair have been deleted. October was opened, deactivated and all payment tokens were removed.

Buyers are strongly advised to create a unique password when logging into their online account and to re-enter their payment details when making a purchase. To protect themselves from further abuse of their online accounts, users are advised to reset an account password using the same credentials as

Those involved should also be wary of phishing emails containing this incident. Never give personal or financial information to anyone who contacts you via email, social networking sites or text messages.

It’s never a bad idea to also check your financial accounts for suspicious activity and set off credit card alerts. These small steps can reduce the risk of identity theft and fraud.

Related Tags:

kaspersky twitter,bit defender,bitdefender central