If you just got an email from The North Face saying that your account has been compromised, it’s probably because you phoned it in when it came to setting your password for it.
The outdoor apparel and equipment brand is notifying more than 2,800 of its online customers that their personal information was stolen in an April credential-stuffing attack on its website. That attack comes on the heels of recent cyber attacks on fellow retailers Victoria’s Secret, Cartier, Adidas and Marks & Spencer.
According to a notification filed with the state of Maine, North Face detected unusual activity on its site on April 23. An investigation revealed that an attacker had launched a «small-scale credential-stuffing attack» against the site.
In that type of attack, cybercriminals attempt to use massive sets of previously exposed logins and passwords to access online accounts. If a customer has used the same login and password for the attacked site, their account could be at risk of compromise. Conversely, setting different passwords for all of your accounts limits the potential damage from this kind of attack.
According to the state of Maine notification, 2,861 North Face accounts were affected by the April attack. The company said it disabled the passwords for those accounts and customers will be required to set new ones when they log back in. Customers were also advised to set new passwords for any other account where they might have used the same password.
«We do not believe that the incident involved information that would require us to notify you of a data security breach under applicable law,» North Face said in its customer-notification letter. «However, we are notifying you of the incident voluntarily, out of an abundance of caution.»
Gaining access to a customer account could give the attackers access to information including customer names, dates of birth, phone numbers, email addresses and shipping addresses, if those pieces of information were saved to a customer’s account, along with shopping preferences and past purchases, North Face said.
Credit and banking card information, including card numbers and expiration dates, were not exposed in the attack, the company said, because it doesn’t store that kind of information on its site. Instead it uses a secure token that links a customer’s account to a third-party payment processor.
How to protect your personal data in case of a breach
Set strong passwords. All of your online passwords should be long, random and unique. In the case of the North Face breach, the customer accounts were compromised because the customers had used the same password for another account that was previously compromised. Yes, setting different, strong passwords for all of your accounts can be a lot of work. If you need help, try a password manager.
Always, always use two-factor authentication whenever possible. This protects your account with a second identifier like a biometric indicator or a push notification sent to your phone, making it a lot harder for an attacker to get in even if they have your password.
Limit the data you store in online accounts. Sure, it’s convenient to save your name, address and credit card information in your account for your favorite online store, but the more information you hand over, the more it’s at risk for theft. Think about checking out as a guest and if you’re done shopping with a particular retailer, think about deleting your account entirely.
Change compromised passwords right away. It’s no longer considered a best practice to change your passwords every 90 days or so. If you set a good one, you can largely leave it be. But if you do hear that it’s been compromised, don’t dawdle in setting a new one.
Be on guard for phishing attempts. The more information cybercriminals have about you, the better they can craft phishing attempts aimed at stealing your money or personal data. Artificial intelligence tools are making this easier than ever. All unsolicited emails, texts and social media ads and messages should be looked at with skepticism.
