Retail giant for outdoor clothing, The North Face, has been forced to reset customer account passwords after it was struck by a credential stuffing assault.

Credential stuffing describes tactics employed by cybercriminals where they take advantage of extensive collections of leaked password and username combinations acquired in earlier data breaches, in order to access other customer user accounts online.

Credit stuffing can be a particularly successful form of attack when employed against individuals who employ identical passwords and usernames for a number of user accounts across the web. The aim of credit stuffing attacks is to obtain access to the largest number of user accounts possible on the site targeted, and then commit a range of crimes. These include, but are not limited to, stealing funds, seizing private data and assuming the identities of the customer accounts’ owners.

Payment details not accessed

According to the data leak notice sent to impacted users by The North Face, the hackers responsible for the credit stuffing were able to acquire access to an extensive array of personally identifiable information (PII).

Affected information that may possibly have been accessed through the compromised user accounts includes full names, dates of birth, telephone numbers, purchase histories, and shipping and billing addresses. However, no payment information was exposed in the data leak suffered by The North Face.

The company commented:

“The perpetrator was not able to view any credit or debit card numbers, expiration data, nor CVVs, because that information is not kept on copy on thenorthface.com. The site only stores a ‘token’ which cannot be used to initiate purchases anywhere other than thenorthface.com.”

The data leak notice served to impacted customers does not state that hackers bought products using the infiltrated accounts, although the company’s official press statement suggests that instances of such activity were identified.

Additionally, a spokesperson for The North Face commented to respected computer help site BleepingComputer:

“We have offered full refunds for any unauthorized purchases on thenorthface.com, and all customers who could have been impacted were sent official notification.”

Swift security action taken by The North Face

Following detection of the credit stuffing attack, when activity considered suspicious was identified and investigated, The North Face acted quickly. This included deploying security procedures to mitigate the login rate to user accounts from questionable sources, employing a suspect pattern.

As a precaution, the company’s security team disabled the passwords for all user accounts that had been accessed in the attacks recorded timeframe. Additionally, teams also deleted any stored tokens associated with user payment cards in all customer accounts on its site.

The company has warned impacted customers that they will be prompted to input their payment details and update passwords when they next visit the website. The North Face also advised users to avoid using passwords that can easily be guessed, and to steer clear of using the same username and password combination across multiple accounts to avoid becoming a victim of a credit stuffing attack in the future.