Latest news with #credentialStuffing
Forbes
4 days ago
- Business
- Forbes
Password Attack — The North Face Confirms Data Breach
The North Face confirms data breach. When it comes to outdoor apparel, fashion brands don't come much bigger than The North Face. When it comes to data-stealing attacks, hackers don't get it much easier than using credential-stuffing tactics. The North Face has now confirmed that just such an easy path has been taken by password attackers who managed to steal names, addresses, purchase histories and telephone numbers from affected customers. Here's what you need to know. The North Face is a major player in the fashion industry, boasting an annual revenue of over $3 billion. It should come as no surprise, then, that it is on the radar of cybercriminals. The American retailer, part of the VF Corporation group, which also owns brands such as Dickies, Timberland, and Vans, has confirmed that it suffered a data breach on April 23. As data breach notifications begin to arrive for affected customers, it becomes possible to reveal what has happened. Confirming that unusual activity was detected on The North Face website, VF Outdoor, LLC, said that 'an attacker had launched a small-scale credential stuffing attack' on April 23. A credential-stuffing attack is when a hacker has access to usernames and passwords from previous breaches, and there are billions of these available online, against other accounts. If your login details are shared across more than one site or service, you are at risk of such an attack. When one account is breached, all others using the same credentials can be compromised by a determined attacker. 'Hackers can get started with credential stuffing attacks by investing as little as $500 in credential stuffing software, access to email and password combo lists, and the use of both public and private proxy services for obfuscation,' Benjamin Fabre, CEO of DataDome, said. The North Face disclosure stated that it quickly disabled passwords to halt the attack, and all users will need to create a new and unique password on the website if they have not already done so. 'We strongly encourage you not to use the same password for your account at our website that you use on other websites,' The North Face said. Information that was compromised included: name, purchase history, shipping address, email address, date of birth and telephone number. However, payment information has not been compromised as a third-party provider handles all site payments. I have reached out to VF Corporation for a statement regarding the password attack impacting customers of The North Face.
The Verge
4 days ago
- Business
- The Verge
Which fashion brand hasn't been hacked recently?
Which fashion brand hasn't been hacked recently? Now, Bleeping Computer has two more to add to the list, reporting that Cartier has sent emails to customers informing them that info like name, email address, and country of residence was stolen, and that The North Face has apparently suffered its fourth reported credential stuffing incident since 2020.
CNET
28-05-2025
- Business
- CNET
You Might Be Able to Claim $10,000 From the 23andMe Data Breach. How It Works and How to Apply
Hackers used a credential stuffing attack to gain access to 23andMe accounts in October 2023. Getty Images/Viva Tung/CNET Genetic testing company 23andMe was struck by a prolonged data breach that allowed hackers to gain personal data for about half of the company's 14 million customers. Since then, 23andMe has struggled, filing for bankruptcy in March 2025 and eventually being acquired by Regeron. Now that the ownership situation has been settled, the company has begun allowing customers to file claims for their shares of the legal settlement related to that data breach. The San Francisco-based company, which allows people to submit genetic materials and get a snapshot of their ancestry, announced in October 2023 that hackers had accessed customer information in a data breach. A January 2024 lawsuit accused 23andMe of not doing enough to protect its customers and not notifying certain customers with Chinese or Ashkenazi Jewish ancestry that their data was targeted specifically. It later settled the suit for $30 million. "We have executed a settlement agreement for an aggregate cash payment of $30 million to settle all US claims regarding the 2023 credential stuffing security incident," a 23andMe spokesman told CNET. "We continue to believe this settlement is in the best interest of 23andMe customers, and we look forward to finalizing the agreement." A few months after that decision, there's finally an official method available for you to make your claim and potentially get paid by 23andMe, in some cases as much as $10,000. Keep reading to get all the details you need, and for more, find out why T-Mobile settlement checks have been delayed and see if you're able to claim a piece of Apple's Siri privacy settlement. How many people were affected by the 23andMe data breach? The settlement could cover roughly 6.9 million 23andMe customers whose data was targeted in the leak. To qualify for the proposed settlement, 23andMe customers must also have been US residents on Aug. 11, 2023. That 6.9 million number includes around 5.5 million customers of 23andMe's DNA Relatives profiles, which lets people find and connect with genetic relatives. The other 1.4 million people affected by the breach used another service known as Family Tree, which predicts a family tree based on the DNA users share with relatives, 23andMe said. How much money could I get as part of the 23andMe settlement? At the top end, 23andMe has said that it will pay out up to $10,000 with an "Extraordinary Claim" to customers who can verify that they suffered hardships as a direct result of their information being stolen in the data breach that resulted in unreimbursed costs. This includes costs resulting from "identity fraud or falsified tax returns," from acquiring physical security systems, or from receiving mental health treatment. Residents of Alaska, California, Illinois and Oregon who were impacted by the breach can also apply for a payment as part of the proposed settlement, since those states have genetic privacy laws with damages provisions. The payments for these individuals are expected to be around $100, depending on how many people file for them, a settlement document said. Also, a smaller subset of affected users whose personal health information was impacted by the breach will be able to apply for a payment of $100. Infographic credit: Gianmarco Chumbe/CNET; Background image:Will the settlement include anything else? Beyond those payments, 23andMe will also offer impacted users three years of a security monitoring service called Privacy Shield, which filings described as providing "substantial web and dark web monitoring." How can I file a claim for the 23andMe settlement? In order to file a claim electronically, you can do so using this official online portal from the Kroll Restructuring Administration. An additional online form is available if you would like proof of your claim sent to you. Potential claimants can also download and print out hard copies of the claim form and proof of claim form if they wish to submit them by mail. If you're planning to use this method, send your forms to one of the addresses listed on the official claims website. The deadline to make your claim is July 14, 2025. For more, read this explainer on how class-action lawsuits work.
