Description
The American outdoor apparel and equipment company, The North Face, sent out notifications to some of its customers on May 30, 2025 about a credential stuffing attack it recently experienced. The attack was detected on April 23, 2025, when the company’s IT department noticed unusual activity on its website. The cyberattack compromised a minimum of 2,861 user accounts and the information exposed included personal information (PI) such as full names, email addresses, telephone numbers, shipping addresses, and detailed purchase histories. This is the fourth credential stuffing attack The North Face has experienced in five years.
Identify Indicators of Compromise (IoCs)
While there are no details available as to what indicators were discovered by the company’s IT team, typical identity indicators of a credential stuffing attack include:
- Any sudden spike in failed login attempts across user accounts
- Widespread account lockouts or an unusually high volume of password reset requests within a short period of time
- Unusual login patterns including access attempts from unfamiliar geographic regions or at atypical times that deviate from established user patterns
- User reports of unauthorized activity such as unexpected password changes or unfamiliar transactions.
Actions Taken
The company did a good job of notifying its customers in a timely manner. Its IT teams also disabled all compromised passwords and directed users to create new unique credentials that had never been used for other websites.
Prevention
A credential stuffing attack may not involve a direct breach of the targeted organization. Instead, attackers may usernames and passwords that were stolen in prior data breaches at unrelated companies. Quite often these credentials are purchased and traded on the dark web. Since many users reuse the same login credentials across multiple websites, attackers exploit these stolen credentials by testing them on other websites to gain unauthorized access. The success of these attacks relies on individuals using identical login credentials across different platforms and services.
Organizations can implement multiple security measures to protect against credential stuffing attacks:
- Require unique usernames, such as custom usernames or account numbers, rather than email addresses. Because email addresses are widely used across the internet and easily obtainable, they make usernames predictable and vulnerable to automated attacks.
- Implement Multifactor Authentication (MFA) to add another layer of security by requiring a second form of verification in addition to the username and password. MFA methods can include a one-time code via SMS text, email, or an authenticator app.
- IP-based rate limiting can be used to restrict the number of requests or login attempts that can be made from a single IP address within a specific time period.
- Web Application Firewalls (WAFs) provide protection from web based attacks including credential stuffing.
