Thought Leadership
The well-known outdoor brand The North Face, a subsidiary of the US company VF Corporation, has made public a cyber attack on its customer system.
Attackers were apparently able to access personal data. The attack took place in April 2025, but was only made public at the end of May.
Conspicuous activities and rapid analysis
On April 23, 2025, VF Corp discovered unusual activity on The North Face website. After an internal investigation, it was determined that it was a so-called credential stuffing attack. Although, according to the company, there was no legal obligation to report it, the decision was made to notify affected users.
What is credential stuffing?
In a credential stuffing attack, cybercriminals use stolen access data, usually from previous data leaks, which is circulating on the darknet. This data is automatically tried out on various websites – in the hope that users will use passwords more than once.
Benjamin Fabre, co-founder and CEO of cyber security company DataDome, emphasizes: “81% of internet users use the same or similar passwords for multiple accounts.” This makes it relatively easy for attackers to find valid login data. Such activities often remain undetected for a long time, as a normal login to a website does not constitute conspicuous behavior.
No payment information affected
According to VF Corp, no payment data was compromised. Credit card information such as card number, expiration date or verification code (CVV) were neither stored nor visible. Instead, only a so-called token is stored on the website, which can only be used within The North Face’s system. The actual payment processing is carried out by an external service provider.
This data could be affected
The following personal information from customer accounts may have been compromised in the attack:
- First and last name
- E-mail address
- Date of birth (if stored)
- Telephone number (if stored)
- Delivery addresses
- Order history
- User preferences
Risks and recommendations for customers
Even if no bank details have been stolen, personal data can be misused for identity theft. Attackers could use the information to create fake accounts or carry out social engineering attacks.
Customers should therefore change their passwords immediately – not only for The North Face, but also for other accounts where the same password has been used. The reuse of passwords should always be avoided.
A known problem at VF Corp
This is not the first time The North Face has been the target of a credential stuffing attack. Around 200,000 user accounts were already compromised in 2022. In addition, the parent company VF Corporation was the victim of a large-scale ransomware attack in December 2023, which affected the data of over 35 million customers.
With brands such as Vans, Timberland and Adidas, VF Corp is one of the world’s largest manufacturers of clothing and footwear. The Group emphasizes that it takes the security of customer data very seriously – even if past incidents point to recurring vulnerabilities.
