The North Face Hit by Credential Stuffing Attack, Warns Customers to Reset Passwords

In the latest wave of cyber incidents sweeping the retail sector, outdoor apparel brand The North Face has disclosed that attackers successfully accessed some customer accounts by exploiting reused login credentials.

According to a consumer notification filed with the Vermont Attorney General’s Office, the breach was first identified on April 23 when the company detected a spike in suspicious login activity. Investigators later confirmed that the intrusion was the result of a credential stuffing attack—a tactic in which cybercriminals leverage email and password pairs stolen from unrelated breaches to infiltrate other websites.

The North Face stressed that the attack did not compromise its internal systems. Instead, the incident targeted users who had reused login credentials across multiple services. While no financial information was exposed, the intruders may have accessed full names, shipping addresses, order histories, and, in some cases, birthdates and phone numbers—data that can be weaponized for phishing or identity fraud.

Payment information remains safe, according to the company, which clarified that it does not store card numbers, CVVs, or expiration dates. “We only retain a 'token' linked to your payment card, and only our third-party payment card processor keeps payment card details,” the notice stated.

This breach affects users of the company’s US website, thenorthface.com, and comes on the heels of a separate, massive data breach at VF Corporation, The North Face’s parent company, which last year compromised information on more than 35 million customers across its brand portfolio.

The company has since reset all affected user passwords and is urging customers to create new, unique login credentials. “We strongly encourage you not to use the same password for your account at our website that you use on other websites,” the company warned. It also highlighted the risk of phishing attacks that could stem from exposed contact information.

Darryl Jones, Vice President of Consumer Strategy at Ping Identity, noted the broader implications of this trend for the retail sector.

“Recent high-profile cyberattacks targeting retail organizations have once again highlighted the growing threat of identity-based breaches,” said Jones. “Attackers increasingly focus on exploiting vulnerabilities in customer data, making identity and access management (IAM) frameworks the frontline in defending against these threats. Even when sensitive credentials or payment information remain protected, the theft of customer contact details can enable phishing, social engineering, and more sophisticated identity-based attacks – showing that traditional perimeter defenses are no longer enough."

To protect against such evolving threats, Jones emphasized a shift in strategy. “Businesses must adopt a trust nothing, verify everything mindset that involves implementing multi-factor authentication (MFA), risk-based access controls, and intelligent identity orchestration that dynamically adapts to emerging threats. By investing in advanced IAM solutions, organizations can better protect identities, foster customer trust, and build more resilient digital ecosystems.”

The incident adds The North Face to a growing list of retail casualties in the last two months, alongside Cartier, Adidas, Victoria’s Secret, and several major UK retailers including Harrods and M&S. Collectively, these breaches illustrate a troubling pattern: cybercriminals are increasingly bypassing hardened systems by exploiting user behavior and gaps in identity protections.

For consumers, the lesson remains the same: use unique passwords, enable MFA, and remain alert to suspicious emails or login attempts. For brands, the pressure to move beyond reactive security and toward intelligent, identity-first defense strategies is no longer optional—it’s survival.