[BreachExchange] Credential Stuffers Scaled The North Face to Access Accounts

[Destry Winant]

https://www.infosecurity-magazine.com/news/credential-stuffers-scaled-the/

Outdoor clothing giant The North Face has notified customers that it
has been hit by a credential stuffing attack which may have given
third parties access to their personal information.

In a data breach notice filed with the Californian Office of the
Attorney General (OAG), the San Francisco-headquartered firm claimed
that the brute force attack had been launched against its site on
October 8-9.

A credential stuffing attack occurs when cyber-criminals use automated
software to try previously breached log-ins across a large range of
sites: they’ll be able to access accounts where the individual has
reused their password.

Fortunately, The North Face uses tokenization to obfuscate customer
card details, but customers’ personal information  may have been
accessed in the incident.

“Based on our investigation, we believe that the attacker obtained
your email address and password from another source and may have
accessed the information stored on your account at thenorthface.com,
including products you have purchased on our website, products you
have saved to your ‘favorites,’ your billing address, your shipping
address(es), your VIPeak customer loyalty point total, your email
preferences, your first and last name, your birthday (if you saved it
to your account), and your telephone number (if you saved it to your
account),” the noticed read.

As a precaution, the firm deleted all payment card tokens on the site,
limited logins from suspicious sources and disabled all passwords from
accounts compromised in the attack. Affected customers will need to
create new passwords and re-enter payment card details, it said.

“We strongly encourage you not to use the same password for your
account at thenorthface.com that you use on other websites, because if
one of those other websites is breached, your email address and
password could be used to access your account at thenorthface.com,”
the notice continued.

“In addition, we recommend avoiding using easy-to-guess passwords. You
should also be on alert for schemes, known as phishing attacks, where
malicious actors may pretend to represent The North Face or other
organizations, and you should not provide your personal information in
response to any electronic communications regarding a cybersecurity
incident.”

Retail accounted for over 90% of the 64 billion credential stuffing
attempts detected by Akamai over the period July 1 2018 to June 30
2020.