VF Outdoor, the parent company behind The North Face and Timberland, has disclosed a security breach that exposed personal information belonging to over 15,000 customers.
The security breach began in March 2023 but was only discovered and remediated two years later, on March 13, 2025.
The breach was uncovered after VF Outdoor noticed suspicious activity on its retail websites, thenorthface.com and timberland.com. According to the notification filed with the authorities, the breach resulted from a credential stuffing attack — a tactic where threat actors use stolen login credentials from unrelated breaches to gain access to user accounts on different platforms. The attack allowed unauthorized access to customer data such as names, email addresses, shipping addresses, purchase histories, and in some cases, dates of birth and phone numbers.
The company behind these popular outdoor brands is a subsidiary of VF Corporation, a Fortune 1000 apparel and footwear conglomerate based in Denver, Colorado. VF owns a portfolio of major brands and maintains a significant digital retail presence, making it a prime target for credential abuse schemes. The breach impacted 15,713 individuals, while no identity protection services were offered as part of the response.
In its notice to impacted customers, VF Outdoor clarified that payment card data remained secure thanks to the use of tokenization by a third-party processor. No full card numbers, expiration dates, or CVV codes were stored on their website, making them inaccessible to the attackers. Nevertheless, the company chose to notify affected users voluntarily, citing an abundance of caution.
Once the issue was identified, VF Outdoor disabled affected passwords and urged customers to reset them using unique combinations. The firm also advised users to avoid reusing passwords across multiple websites — a common risk factor in credential stuffing attacks. Customers were further encouraged to monitor their financial accounts for suspicious activity and stay alert to phishing attempts posing as official communications.
Although no law enforcement investigation delayed the notification, the two-year gap between the breach’s initiation and its detection raises questions about long-term monitoring and detection capabilities at large online retailers.
Also, the lack of two-factor authentication enforcement, even after incidents such as this one, is an inexcusable security failure on the firm's part.
If you have an account at The North Face website (thenorthface.com) or Timberland (timberland.com), it is recommended to immediately reset your passwords using a unique and strong new passphrase.
Thunderbird Launches Open-Source Premium Webmail Service
Leave a Reply