Updated at 4:10 ET.
The North Face has warned its customers not to recycle log-in information on its customer accounts, following a cyberattack on its site last month that used a technique called “credential stuffing.”
In a notification filing with the Vermont Attorney General’s office, North Face’s parent VF Corp. submitted a draft of its letter to affected customers, noting that the breach occurred on April 23, 2025. The letter indicated that an attacker launched a “small-scale” credential stuffing attack” using email addresses/usernames and passwords stolen from another source, such as a breach of a different company or website, to gain unauthorized access to user accounts.
Related Stories
“Credential stuffing attacks can occur when individuals use the same authentication credentials on multiple websites,” VF said, adding that it encourages all its customers to “use a unique password” on its website.
You May Also Like
“We do not believe that the incident involved information that would require us to notify you of a data security breach under applicable law. However, we are notifying you of the incident voluntarily, out of an abundance of caution,” VF said in the letter. It also said that information that may have been accessed include products purchased on The North Face website, shipping address and other information if saved on the customer account, such as date of birth and telephone number.
VF also emphasized that payment card information “was not compromised on our website” because it does not keep such data on its site.
The company said approximately 1,500 individuals were impacted. In a statement released Wednesday, The North Face said, “The incident was quickly contained, and those affected were promptly notified. It’s important to note that no credit card information was compromised. Protecting the data of our customers remains our highest priority.”
The frequency of retail-related cybersecurity attacks increased by 56 percent in 2023 compared to the previous year, according to KnowBe4’s “Global Retail Report 2025.” Last month researchers from Google threat Intelligence Group and Google subsidiary Mandiant said cybercriminals that were believed to have been responsible for three attacks against companies in the U.K. were focusing on U.S. retailers. Last month Victoria’s Secret had to temporarily shut down its site after a cybersecurity breach.
According to the Vermont Attorney General’s section for security breach notices, other fashion firms that had to file notices recently were Alex Apparel Inc. and women’s footwear firm Jildor Shoes Inc. The Alex Apparel letter said it’s breach was on March 10, and that there was no indication that any personal information has been or will be fraudulently misused. The company also reset passwords. Jildor’s breach around Feb. 1 involved a ransomware attack. While personal information may have been impacted, the shoe firm said there is no indication that personal information was acquired or misused in any way.
Last month, Adidas said it had a cyberattack in which an “unauthorized third party” obtained some consumer data — but not any passwords, credit cards or an other payment-related information — through a third-party customer provider.
Last week, Victoria’s Secret’s e-commerce site was down for a few days as it addressed a security incident. The breach also resulted in a delay of its first-quarter earnings report that was slated for Thursday. And fashion firms overseas — Harrods, Marks & Spencer and the Co-op Group in the U.K. — last month also saw hackers targeting their online operations. Moreover, Dior confirmed last month that it was impacted by a data breach involving its Chinese customer base.
A report from KnowBe4 in March said the greatest threat now is not payment data but rather the theft of personal information that it describes as “credential harvesting.” This type of stolen credentials has become more popular because the information gives hackers immediate access to personal accounts, allowing them to bypass security measures.
— With contributions from Rosemary Feitelberg