The North Face confesses to another data breach

Outdoor retailer The North Face has warned customers that their personal information has been compromised.

According to the data breach notice that was shared with the Office of the Vermont Attorney General, the company discovered ‘unusual activity’ on its website, thenorthface.com, on April 23.

“Following a careful and prompt investigation, we concluded that an attacker had launched a small-scale credential stuffing attack against our website,” The North Face’s parent company VF Corporation writes.

A credential stuffing attack is an attack in which hackers use login credentials they obtained from a data breach that occurred at another company in the past to log in to various online services. The attackers bought this information, for example, on a forum on the dark web. A credential stuffing attack only works if people reuse the same password for numerous online accounts.

“We do not believe that the incident involved information that would require us to notify you of a data security breach under applicable law. However, we are notifying you of the incident voluntarily, out of an abundance of caution,” VF Corporation says.

The attackers managed to get their hands on personal information that was stored on customers’ accounts, including full names, purchase histories, shipping addresses, dates of birth, email addresses, and telephone numbers. Financial information like payment card numbers, CVV codes, or expiration dates was not compromised.

VF Corporation recommends using strong and unique passwords to secure online accounts. Affected customers who’ve used the same login credentials at other online services should change their passwords.

Lastly, victims should be on alert for targeted phishing attacks. “Don’t provide personal information in response to any electronic communications regarding a cybersecurity incident,” the retailer suggests.

This isn’t the first data breach VF Corporation has dealt with. According to the Office of the Maine Attorney General, 15,713 customers were affected by a data breach that occurred in March 2025.

In November 2020 and September 2022, a similar incident took place. During the latter incident, a credential stuffing attack cost the company personal information of 194,905 customers.

The most severe incident happened back in December 2023, when The North Face was hit with a ransomware attack, impacting over 35 million customers worldwide.