VF Outdoor, LLC

The Maine Office of the Attorney General disclosed a data breach affecting VF Outdoor, LLC (operating as Timberland®) on January 26, 2022. The incident, discovered on November 5, 2021, resulted from a credential stuffing attack, compromising the personal data of 48 individuals, including one Maine resident. The exposed information was limited to email addresses and passwords, with no financial data (e.g., payment cards) involved. Credential stuffing exploits reused login credentials from prior breaches to gain unauthorized access to user accounts. While the breach did not escalate to financial fraud or broader systemic damage, it posed risks such as account takeover, phishing, or identity theft for affected users. The company likely initiated password resets and notified impacted individuals, though the scale remained relatively contained. The absence of sensitive financial or high-value personal data (e.g., Social Security numbers) mitigated the severity, but the incident still highlighted vulnerabilities in authentication practices and the persistent threat of automated attacks targeting reused credentials.

Source: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/c7c3d48a-1380-45b3-94a4-663f57e0f7bb.shtml

TPRM report: https://www.rankiteo.com/company/vf-corporation

"id": "vf-027091825",
"linkid": "vf-corporation",
"type": "Cyber Attack",
"date": "10/2021",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'customers_affected': 48,
                        'industry': 'Apparel & Footwear',
                        'name': 'VF Outdoor, LLC (d/b/a Timberland)',
                        'type': 'Corporation'}],
 'attack_vector': 'Credential Stuffing',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': 48,
                 'personally_identifiable_information': 'Partial (email '
                                                        'addresses)',
                 'sensitivity_of_data': 'Moderate (credentials)',
                 'type_of_data_compromised': ['Email addresses', 'Passwords']},
 'date_detected': '2021-11-05',
 'date_publicly_disclosed': '2022-01-26',
 'description': 'The Maine Office of the Attorney General reported a data '
                'breach involving VF Outdoor, LLC doing business as '
                'Timberland®. The breach was discovered on November 5, 2021, '
                'and involved a credential stuffing attack that affected 48 '
                'individuals, including 1 resident of Maine. The compromised '
                'information included email addresses and passwords but did '
                'not involve payment card information.',
 'impact': {'data_compromised': ['Email addresses', 'Passwords'],
            'identity_theft_risk': 'Potential (due to exposed credentials)',
            'payment_information_risk': 'None'},
 'references': [{'date_accessed': '2022-01-26',
                 'source': 'Maine Office of the Attorney General'}],
 'regulatory_compliance': {'regulatory_notifications': 'Maine Attorney '
                                                       'General'},
 'response': {'communication_strategy': 'Public disclosure via Maine Attorney '
                                        'General'},
 'title': 'Timberland Data Breach via Credential Stuffing Attack',
 'type': 'Data Breach'}

VF Outdoor, LLC

Microsoft: Malicious AI extensions on VSCode Marketplace steal developer data

Okta, Salesforce and Google: ShinyHunters claim to be behind SSO-account data theft attacks

Greenvelope and LogMeIn: Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access