The North Face Got Hacked With Stolen Passwords—For the Fourth Time in Five Years

What Happened

On April 23, VF Outdoor (the parent company of The North Face, Vans, Timberland, and Dickies) detected unusual login activity on The North Face website. An investigation confirmed that attackers had used email and password combinations obtained from other data breaches to gain access to 2,861 customer accounts.

VF Outdoor filed breach notifications with the Vermont and Maine attorneys general, though it stated the disclosure was made "out of an abundance of caution" and that the incident did not legally require notification.

What Data Was Exposed

Attackers who successfully logged into customer accounts could see:

• Full name
• Email address
• Shipping address
• Date of birth
• Telephone number
• Purchase history

Payment card data was not compromised. The North Face uses an external payment processor and only stores a non transferable token for transactions, meaning attackers could not extract credit card numbers even from fully accessed accounts.

How Credential Stuffing Works

Credential stuffing is one of the simplest and most effective attack techniques on the internet. It works because people reuse passwords. When a breach at one service exposes email and password pairs, attackers feed those combinations into automated tools that try them against dozens of other websites.

The math is straightforward: if even 1% of credentials from a massive password leak work on a retail site, that is thousands of compromised accounts. Credential stuffing does not require any sophistication, any vulnerability in the target site, or any insider access. It only requires users who reuse passwords.

Four Breaches in Five Years

This is not the first time The North Face has been hit by credential stuffing. The pattern is remarkable:

• November 2020: First credential stuffing attack disclosed
• September 2022: Over 200,000 customer accounts compromised
• March 2025: 15,700 accounts breached across The North Face and Timberland websites
• April 2025: 2,861 accounts compromised (current incident)

On top of these credential stuffing incidents, VF Corporation also suffered a ransomware attack in December 2023 that impacted 35 million customers and caused significant operational disruptions. The company disclosed that incident to the SEC.

Four credential stuffing breaches and a ransomware attack in five years raises serious questions about VF Corporation's security posture. After the 2022 incident affected 200,000 accounts, the company should have implemented mandatory multi factor authentication, aggressive rate limiting, and bot detection on all login endpoints. The fact that the same attack vector succeeded again in 2025, twice, suggests those measures were either not implemented or not effective.

No Identity Protection Offered

VF Outdoor disabled all website passwords and forced account resets, but declined to offer identity protection or credit monitoring services to affected customers. The company's position that the breach did not legally require notification, despite choosing to disclose it, suggests it views the incident as minimal risk.

For the 2,861 affected customers, the exposed combination of name, email, address, date of birth, and phone number is enough for an attacker to attempt targeted phishing, SIM swapping, or identity fraud. A retailer that generates over $3 billion annually could afford to offer basic identity protection to a few thousand compromised customers.

What You Should Do

• Stop reusing passwords. Use a password manager to generate and store unique passwords for every account. If you reuse your email password on retail sites, a credential stuffing attack on any of them can compromise all of them.
• Enable multi factor authentication everywhere. MFA blocks credential stuffing completely. Even if an attacker has your email and password, they cannot log in without the second factor.
• Check if your credentials are compromised. Use Have I Been Pwned to see if your email address appears in known breaches. If it does, change the password on every site where you used the same credentials.
• Watch for phishing emails. After a breach, affected customers often receive convincing phishing emails that impersonate the breached company. Any email asking you to "verify your account" or "update your payment information" after a breach notification should be treated with extreme suspicion.

The Bigger Picture

Credential stuffing is a symptom of a larger problem: the billions of username and password pairs circulating on criminal marketplaces from years of data breaches. Every new breach adds to this pool, and every retailer, bank, or service without mandatory MFA is a target.

The North Face incident is small in scale (2,861 accounts) compared to the breaches hitting tens of millions, but its recurrence is the story. A company that has been breached four times by the same technique without solving the underlying problem is a company that has accepted credential stuffing as a cost of doing business rather than a security failure to prevent.

For consumers, the lesson is clear: treat every online account as if the service behind it will eventually be breached, because statistically, it will. Unique passwords and MFA are not optional precautions anymore. They are the minimum.