The North Face is reporting that its e-commerce site suffered a “credential stuffing attack” during summer 2022.
In a notification sent to customers who may have had information exposed in the attack, The North Face said that on Aug. 11, 2022, it detected unusual activity on its corporate e-commerce website.
Following an investigation, the company concluded that attackers launched a credential stuffing attack against its site between July 26 and Aug. 19, 2022. A “credential stuffing attack” is a type of cybersecurity attack where the attacker uses account authentication credentials, such as email addresses/usernames and passwords, often obtained from another source, such as a breach of another company, to gain unauthorized access to accounts.
Based on its investigation, The North Face said it believes that the attackers obtained email addresses and passwords of some customers, and may have also accessed the information stored on customer accounts, such as customer first and last name, date of birth, billing and shipping address(es), telephone number, unique The North Face customer ID number, gender, the date an account was created, reward member records, products that have been purchased on the site, customer preferences.
According to The North Face, payment card (credit, debit, or stored value card) information was not compromised in the attack, due to its tokenization of payment card details. Once it became aware of the attack, the company said it took steps including disabling passwords and erasing payment card tokens from accounts that were accessed during the attack timeframe.
In comments submitted to Chain Store Age, Uriel Maimon, VP of emerging products at HUMAN, said that credential stuffing attacks are the new frontier of cybersecurity
“We should expect that the credentials stolen from The North Face will soon be tested on other apps that we use to power our daily lives,” said Maimon. “Once cybercriminals have access to accounts, they can purchase goods, cash in loyalty points, sell the credentials on the dark web, or even take out lines of credit. Malicious login attempts out of total logins trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.
“Attackers have gained access to these users’ accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites,” said Maimon. “And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users. This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks, but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in order to differentiate between real users and attackers.”
Kroll: Online fraud poses serious threat
According to the recent Global Fraud and Risk Report from security company Kroll, 82% of over 1,300 surveyed senior decision-makers for risk strategy said their organizations had been significantly impacted by fraud and illicit activity. Looking specifically at retail, wholesale and distribution respondents, the survey found that 81% had been significantly impacted by serious misconduct and 69% had conducted an internal investigation in the last three years.