Attackers stole nearly 200,000 North Face accounts by trying passwords

attackers stole nearly 200000 north face accounts by trying passwords.jpg
attackers stole nearly 200000 north face accounts by trying passwords.jpg

The website of outdoor clothing manufacturer North Face was the target of a credential stuffing attack.


The admins of the North Face website have apparently been asleep: unknown attackers have been attacking the website for almost a month. They were able to compromise 194,905 customer accounts. The admins only became aware of it after more than three weeks and stopped the attack.


In order to hijack the accounts, the attackers tried out e-mail addresses and passwords on a large scale until there were hits. Such login data usually comes from other hacks and is sold in large lists on underground forums. Such attacks are called credential stuffing attacks.

North Face was obviously sloppy here and simply didn’t notice the countless failed logins in the course of the attack. The incident has now only become known because the website operator is legally obliged to report such security incidents – this is also the case in Germany. Unlike in Germany, the information on the IT attack is even publicly available.

In addition to the log-in data, the attackers are said to have had access to addresses, names and telephone numbers, among other things. Those responsible say they have reset all passwords. The attackers are said to have had no access to payment information such as credit card data. The manufacturer of outdoor clothing wants to notify affected customers.

Even if the website operator has screwed up here, you should critically question your own handling of passwords. For reasons of convenience, you should never use just one password for all online services. If that is lost, attackers have captured the master key and can access all accounts.

SEE ALSO  I have installed these customization layers on my smartphone: having Android Auto has never been so simple