CISO ‘How to’ Without the Bull: Credential Stuffing Response

In the latest of my “no bullshit” cyber blogs, I’ll explain how retail CISOs should respond to a credential stuffing attack. My name is Nick Harris, and I’m the CISO in Residence at Assured

In light of a few online retailers (including North Face) suffering customer account compromise cyber attacks and the news of the 23&Me fine after a similar event, I’ve analysed the type of attack deeper.

It appears that North Face suffered a data breach via a credential stuffing attack (the mass use of previously breached usernames and passwords against a website), originally notifying the authorities on 4 April 25 after first discovery on March 13, 2025. North Face has experienced this type of attack before, having suffered credential stuffing attacks in November 2020 and September 2022, followed by a ransomware attack in December 2023.

From experience, I know that incidents like these inevitably lead to a conversation about balancing the amount of friction a business is prepared to add to a customer’s purchase journey (risking abandoned shopping baskets) in order to enhance security and prevent fraud.

Let’s explore credential stuffing attacks and, perhaps more importantly, how to best defend against the subsequent losses.

What are we talking about?

Think of a credential stuffing attack as an ecosystem which can be boiled down to the use of historic usernames and passwords stolen from a different third party and reused to successfully gain unauthorised access to an account. For this blog, I’m focussing on retail and therefore customer accounts.

Why should businesses care?

If left unchecked, this type of attack leads to either the fraudulent purchase of items (including easily sold-on goods, such as gift cards and vouchers) with credit cards or vouchers stored in the account or stolen elsewhere. For high-value, easy-to-sell goods, this can be very attractive to criminals.

“Incidents like these inevitably lead to a conversation about balancing the amount of friction a business is prepared to add to a customer’s purchase journey in order to enhance security and prevent fraud”

Retailers often overlook the second issue with these attacks: unauthorised access and exfiltration of personal details.  This may be a shipping address, purchase history or even details such as date of birth, all of which can be used in social engineering attacks and identity theft. A third-party accessing customer accounts and the personal data held within equates to a data breach. Therefore, the retailer needs to confidently know who is impacted and by what degree of harm. Only then can they inform the impacted data subjects and then notify the ICO of exactly which personal details were accessed.

But don’t fear, all is not lost, as I will share methods to address this.

Who owns the problem?

Cyber teams are great at staff account protection. They’ll have MFA, conditional access policies, logs and alerts. Sometimes, however, customer accounts don’t get the same level of attention and security. This is a mistake. There is a great opportunity to show genuine financial value by using the resources at hand.

In my experience, store fraud (shop lifting, fake returns, etc.) is well understood by the business, but online fraud can be a grey area, particularly as multi-channel retailers have multi-channel fraud. I firmly believe that cyber can own the customer account compromise protection. As the cyber team likely has the best logs, the best insight and some great analytical brains, they can show real business value by owning the entire chain of anti-fraud protections. Let me introduce a valuable three-way strategy:

The triad

The controls to address credential stuffing require three internal parties:

• The security team to present enhanced controls to keep customer accounts (and their personal details) safe, and reduce business fraud levels.
• The engineering team have the skills and resources required to make the changes in conjunction with all the feature requests they’re being asked to deliver.
• The product, sales or customer team have a vested interest in the customer journey and sales revenue, and for good reason, has healthy tension with the security controls. Ultimately, I’ve found this team has the veto on anything and prioritises the backlog.

This working triad addresses the security, customer and effort required. A group of empowered individuals from each of the three parties can make a real difference, representing their areas and the interests of those they represent. It’s also a perfect forum to share upcoming sales promotions or loyalty card point cash-ins, as knowing this can really help tailor the controls in advance.

The options for addressing the credential stuffing problem are shared below, as I walk through the cred stuffing ecosystem. Note, as always, a lot of the steps require a considered trade-off between customer friction and fraud prevention.

The credential stuffing ecosystem and how to break it:

Stage	Defensive options
1. Party A hacks a third-party website and usernames/passwords are stolen. Often these passwords are hashed and need decrypting. Sometimes, these are already in clear text.	There isn’t much the retailer can do at this stage, although individually we can check if our details are in a breach at the newly redesigned https://haveibeenpwned.com/
2. Party A sells this long list of data to Party B on a market place, typically the dark web.	Threat intel can highlight where access to certain retailers’ accounts is being sold. This list can be bought in advance by a safe third-party.
3. Party B uses a bot to attempt to automate logging into a website with every username/password. Because people re-use passwords, a percentage of these will be successful. Party B sells this shortlist for a higher value, making a profit.	MFA isn’t always possible for customers, but it is recommended. Use a WAF with strong bot protections based on ID, behaviours and IPs or ASNs. Use the WAF to block certain geo locations or ASNs. Sometimes a block of only 20 minuets is enough. Employ a Captcha to ensure only human logins (not bots). Often, bots can circumvent this. Use DDoS protections and DNS health checks on public-facing sites. Have strong detection mechanisms for spikes in log-in attempts, failed log-ins and high-risk IPs. Correlating the data of successful log-ins allows retailers to know which accounts are high-risk and which have been accessed by the third-party. This is the first part of knowing when and what to notify the ICO. Reset the passwords for the customers with accessed accounts before step 4.
4. Party C buys the confirmed successful logins from Party B and either users stored credit cards, subscriptions, or stolen credit cards to purchase items to a different delivery address	Analyse page logs then tell the security team if purchase history or the shipping address has been accessed or changed. This helps the second part of notifying the ICO of the personal data breach. Require OTP or email verification for a change to delivery address or account password, or when sign-in hits a risk threshold. Apply anti-fraud algorithms to the online payment system. Tailor these for risky products like high-value, easy to ship items. Have the ability to clear a customer’s purchase history. They won’t want to log in and see items they didn’t buy.
5. Party C sells fraudulently purchased goods for a profit. This might also entail returning the items for a refund, sometimes to multiple stores or shipping the returned item box with a weight of no value	Apply additional ID checks or refund rules for high-value or high-risk items.

Lets talk about comms

The 23&Me strategy to place some of the blame on the customers may well have contributed to their fine, which I agree with. Public relations is paramount. Here are some tips:

• Take ownership, showing transparency and humility. M&S were well commended for their initial email to customers (albeit a very different type of cyber incident).
• Know how to best reach your customers. This is likely via an email distribution list. In some places, it’s harder than you think to actually send the email: customer services may have the contact details and the email template, but are unable to send emails on scale as they typically email individual customers. The mass-email system is often owned by marketing and not geared up for this task.
• Have pre-prepared and pre-approved messages. The scenario of a cyber incident is predictable, so have options depending on the specific incident: weak password, suspected compromise, suspected access to personal data, fraudulent purchase.

Internal comms

Sending the internal message of the value the cyber team is offering reinforces the investment and effort. If played well, the savings or value of loss prevention can be argued for offsetting parts of the security budget. The art is using language that the business understands. For example:

• Instead of: “We’ve had a spike in login attempts”, use: “we are absolutely certain which customers have had their accounts accessed, and we’re sending them clear guidance”
• Instead of: “We have a CAPTCHA in place”, use: “a combination of our checkout controls has prevented £xxx of product being stolen by criminals”
• Instead of: “We have comprehensive sales logs”, use: “We’ve declined refunds for £xxx of suspected, risky product, preventing the business from losing £xxx”