- The North Face informed customers of a data violation
- The pirates led an identification damage attack on its website and violated customer accounts
- They stole names, addresses and phone numbers
The North Face confirmed that it has undergone an identification jam attack through which cybercriminals have exfiltrated sensitive customer information.
The outdoor clothing and equipment company has filed a new opinion with the Vermont general prosecutor, which also included the letter of data violation sent to the customers concerned.
In the letter, the company said that it had discovered “an unusual activity” on its website on April 23, 2025. The subsequent survey showed that an unidentified attacker put an “stuffing attack on small -scale identification information”, using connection identification information obtained elsewhere, most likely bought from The Dark Web.
Intact payment information
“Identification information attacking attacks can occur when individuals use the same authentication information on several websites,” said the North Face. “We encourage all our customers to use a unique password on our website.”
The crooks have expressed themselves with people’s shipping addresses, preferably information, e-mail addresses, complete names, birth dates and telephone numbers.
“Payment card information (credit, debit or stored value card) was not compromised on our website,” added the company.
“The attacker could not display your payment card number, the expiration date or your CVV (the short code on the back of your card).”
As the North Face explained, the payment data has not been taken because it is not stored on its servers. The company only retains a token related to the payment card, while the payment processor retains the details.
“The token cannot be used to start a purchase elsewhere than on our website. Consequently, your credit card information is not at risk due to this incident. ”
The North Face also said that customer notification was not necessary, given the nature of the stolen information, but had still decided to do so “by abundance of prudence”. However, names, birth dates, postal addresses and telephone numbers are more than sufficient to create personalized and convincing phishing emails that can cause identity theft, theft of payment information and wire fraud, identity theft, etc.
Via Bleeping Compompute
