Breaking Down the North Face Credential Stuffing Attack

Breaking Down the North Face Credential Stuffing Attack

Recently, outdoor apparel retailer North Face disclosed that it suffered from a credential stuffing attack. North Face stated the credential stuffing attack occurred on October 9, affecting an undisclosed number of customers. Hackers apparently gained users’ usernames and passwords from a third-party website. 

The company sent out a data breach notification to customers. While The North Face credential stuffing attack did not compromise financial information, it did expose information such as products purchased, billing and shipping addresses, names, birthdays, telephone numbers, email preferences. 

Some Key Lessons from the North Face Credential Stuffing Attack

First, that another major retailer suffered from a credential stuffing attack indicates just how dangerous credential stuffing attacks can prove. Credential stuffing works by hackers simply trying previously stolen passwords and usernames and looking for repetitions. Any repetitions enable them access to new accounts on new victim businesses. 

Therefore, your business must encourage both customers and employees to only use unique and strong passwords for their accounts. You can do this through mandatory password resets every few months, through the use of password managers. Also, you can deploy customer identity and access management and privileged access management solutions. 

However, we also wish to confront a statement made by North Face in their data breach notification: 

“We do not believe that the attacker obtained information from us that would require us to notify you of a data security breach under applicable law, but we are notifying you of the incident voluntarily, out of an abundance of caution.”

We cannot stress this enough: this isn’t how data breaches work. Any information that appears on the Dark Web or ends up in the hands of danger becomes a threat to users’. Hackers can use this information for future data breaches, for phishing or spear-phishing attacks, and other nefarious ends. In fact, users should know that non-financial information was breached just as much as if financial information became stolen. 

Users can replace their credit cards or freeze them; it is obnoxious but doable. However, users can’t easily change their names or addresses. North Face, upon learning about the credential stuffing attack, immediately had the obligation to alert affected users.  

Expert Commentary

Vinay Sridhara is CTO of Balbix

“This incident highlights the wide-spread issue of hackers capitalizing on weak password hygiene, taking advantage of rampant password reuse, and a lack of multifactor authentication (MFA). According to a recent study, roughly 80 percent of hacking-related breaches are due to compromised, weak, and reused passwords. Yet, 99 percent of people employees still reuse passwords across an average of 2.7 work and personal accounts.”

“Strong password hygiene must be a top priority for every company and enterprises should scan for password reuse on an ongoing basis to limit their exposure. Additionally, NIST’s Special Publication 800-63B:Digital Identity Guidelines recommends organizations to follow these four principles: 8 character minimum, no complexity or special character requirements, no password expiration, and to check against dictionaries and lists of previously breached passwords. Given that the amount of compromised credentials continues to grow, checking passwords against a dynamic database rather than a static list is critical.”

Learn more in our Identity Management Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner