The outerwear giant North side notified customers that their accounts may have been compromised after noticing unusual activity on its site last month.
It discovered the credential spoofing attack on Aug. 11, though the campaign ran from July 26 to Aug. 19, according to a data breach notification seen by Information security.
Credential padding exploits users who reuse passwords. After cracking a password/username combination, hackers run it through automated software that tries to use it on numerous other websites and apps to see what accounts it can unlock.
The ultimate goal is usually to harvest any personal information stored in these accounts in order to resell access on the dark web and/or use stored card details to make fraudulent purchases.
However, North Face explained that it has tokenized payment card information so that threat actors cannot access that data.
“The attacker was unable to see the full payment card number, expiration date or CVV. We do not store copies of payment card details on thenorthface.com,” it said.
“We only store the ‘token’ associated with your payment card, and only our third-party payment card processor stores payment card data. The token cannot be used to initiate a purchase anywhere other than thenorthface.com.”
However, the retailer warned some customers that attackers may have been able to hijack their accounts with previously compromised credentials. If so, they may have access to information including purchase history, billing and shipping address, preferences, email address, first and last name, date of birth, phone number, unique North Face ID number, gender, and XPLR Pass award records.
This would certainly be enough for the next attempt at identity fraud or to carry out convincing phishing attacks.
After discovering the incident, the firm said it disabled passwords and removed payment card tokens from compromised accounts. These users will need to enter a new password and re-enter their payment details the next time they log in.
If the same password is used on other sites/applications, they should change it to unique, strong credentials, the message added.
Credential attacks are particularly common on retail and financial services sites. According to to one markIn 2020, 193 billion account takeover attempts were made as cybercriminals sought to capitalize on the growing number of internet users during the pandemic.