Overview

• On April 23, attackers executed a small-scale credential-stuffing attack using stolen usernames and passwords to access customer accounts
• Up to 1,500 shoppers may have had names, email addresses, shipping addresses and dates of birth exposed, but no payment card data was held on the site
• VF Corp voluntarily alerted affected customers in early June despite no legal obligation to do so, citing an abundance of caution
• The company has strengthened its security infrastructure and recommended that all users adopt unique passwords and enable two-factor authentication
• The breach follows similar incidents at Cartier, Marks & Spencer and Victoria’s Secret, highlighting a broader spike in credential-stuffing attacks across retail