In a recent warning, The North Face has informed customers that their personal information was compromised during a credential stuffing attack targeting the outdoor apparel retailer’s website. This incident occurred on April 23, 2025, and has forced The North Face to send out breach notifications to affected individuals, as confirmed by a notice shared with the Vermont Attorney General.
The North Face, a well-known brand under the VF Corporation umbrella, is recognized for its outdoor gear and clothing. The company generates over $3 billion in annual revenue, with e-commerce accounting for approximately 42% of its total sales volumes. The credential stuffing attack has raised serious concerns regarding the security practices of major brands, particularly in light of the fact that this incident marks the fourth credential stuffing attack on The North Face since 2020.
Credential stuffing attacks are a growing cybersecurity threat where attackers automate login attempts using previously exposed username-password pairs. Vulnerable accounts can be targeted if users recycle the same credentials across different services, thereby amplifying the effectiveness of such attacks. While The North Face did not report any theft of payment information—thanks to the external provider managing transactions—sensitive personal data, including full names, email addresses, and purchase histories, have been compromised.
This incident comes on the heels of earlier security breaches, including a credential stuffing attack reported on March 13, 2025, which impacted ‘thenorthface.com’ and ‘timberland.com,’ affecting approximately 15,700 accounts. Previous incidents in November 2020 and September 2022 collectively compromised over 200,000 customer accounts. The most severe breach happened in December 2023, where a ransomware attack affected 35 million customers.