Extortion group WorldLeaks published 1.4 terabytes of Nike internal data on January 24, 2026, after the sportswear giant didn’t respond to ransom demands. Unlike typical breaches focused on customer databases, this leak centers on intellectual property—product designs, manufacturing processes, and supply chain details that could enable counterfeiting and competitive intelligence gathering.
Incident overview
| Attribute | Details |
|---|
| Victim | Nike, Inc. |
| Threat actor | WorldLeaks |
| Data volume | 1.4 TB |
| Files leaked | 188,347 |
| Data timespan | 2020-2026 |
| Customer PII | None observed (no names, addresses, payment data) |
| Employee PII | None observed |
| Social Security numbers | None observed |
Timeline
| Date | Event |
|---|
| January 22, 2026 | WorldLeaks lists Nike on darknet site with 7-day deadline |
| January 24, 2026 | Deadline passes; WorldLeaks publishes full 1.4TB dataset |
| January 26, 2026 | Nike confirms investigation |
| Shortly after | WorldLeaks removes Nike listing from site |
The removal of Nike’s listing shortly after publication typically indicates either active negotiations or ransom payment—though Nike has not confirmed either scenario.
What was published
The leaked archive contains 188,347 files spanning 2020 through 2026:
Product development data
| Category | Contents |
|---|
| Design schematics | Upcoming products including Jordan Brand SP27 collection |
| Technical packs | Detailed manufacturing specifications |
| Bills of materials (BoMs) | Component suppliers and costs |
| Prototypes | Design files and iterations |
Manufacturing operations
| Category | Contents |
|---|
| Factory audits | Compliance reports |
| Partner information | Manufacturing relationships |
| Process documentation | Garment making procedures |
| Training resources | Factory training materials |
Directory structure
| Directory name | Content type |
|---|
| ”Women’s Sportswear” | Product development |
| ”Men’s Sportswear” | Product development |
| ”Training Resource - Factory” | Manufacturing documentation |
| ”Garment Making Process” | Production procedures |
Cybernews researchers reviewed samples and assessed the files as legitimate. No customer or employee PII was observed in the leak.
Business impact assessment
Counterfeiting risk
| Impact | Assessment |
|---|
| Technical pack exposure | Counterfeiters can produce fakes without reverse engineering |
| BoM availability | Exact components and suppliers known |
| Pre-release designs | Counterfeits may hit market before authentic products |
| Quality matching | Manufacturing specs enable higher-quality fakes |
Competitive intelligence
| Impact | Assessment |
|---|
| Design pipeline visibility | Competitors see 6 years of product development |
| Material sourcing | Supply chain relationships exposed |
| Cost structures | BoMs reveal manufacturing economics |
| R&D direction | Strategic product focus visible |
Supply chain exposure
| Impact | Assessment |
|---|
| Factory audits | Supplier security posture revealed |
| Partner information | Third-party targeting enabled |
| Compliance reports | Vulnerability information available |
Product launch disruption
| Impact | Assessment |
|---|
| Design compromise | Leaked products may need redesign |
| Launch timing | Delays possible for compromised lines |
| Brand damage | Consumer trust implications |
Nike’s response
“We always take consumer privacy and data security very seriously. We are investigating a potential cyber security incident and are actively assessing the situation.”
— Nike spokesperson
As of publication, Nike has not:
- Confirmed whether the leaked data is authentic
- Disclosed how the breach occurred
- Confirmed or denied ransom negotiations
About WorldLeaks
WorldLeaks launched January 1, 2025, as a rebrand of Hunters International, a ransomware gang active from late 2023 to mid-2025.
Evolution from Hunters International
| Attribute | Hunters International | WorldLeaks |
|---|
| Active period | Late 2023 - Mid 2025 | January 2025 - Present |
| Tactics | Ransomware + extortion | Data theft + extortion only |
| Encryption | File encryption deployed | No ransomware |
| Leverage | Decrypt key + leak threat | Leak threat only |
WorldLeaks characteristics
| Attribute | Details |
|---|
| Model | Pure data theft and extortion |
| Ransomware | None deployed |
| Typical deadline | 7 days |
| Claimed victims | 116+ since January 2025 |
| Notable targets | Dell, UBS, Nike |
Why abandon ransomware?
| Factor | Benefit |
|---|
| Stealth | Exfiltration can go undetected longer |
| Simplicity | No encryption infrastructure needed |
| Reliability | No risk of faulty decryptors |
| Pressure | Leak threats still generate payments |
| Detection avoidance | IT doesn’t notice until data appears online |
The shift away from ransomware reflects a broader trend: encryption creates noise (IT notices immediately when systems go down) while pure exfiltration can go undetected for longer and still generates payment pressure through leak threats.
Industry implications
IP-focused breach trend
| Traditional target | Emerging target |
|---|
| Customer databases | Product designs |
| Payment card data | Manufacturing specs |
| Employee PII | Supply chain details |
| Financial records | R&D documentation |
The Nike breach demonstrates that customer databases aren’t the only valuable target. Product development pipelines contain IP worth potentially more than PII to certain threat actors.
Retail/apparel sector risk
| Valuable data | Risk level |
|---|
| Upcoming product designs | Critical |
| Manufacturing partnerships | High |
| Supplier pricing | High |
| Quality control processes | Medium |
Recommendations
For Nike customers
This breach doesn’t appear to include customer data. However:
| Risk | Mitigation |
|---|
| Phishing | Watch for scams referencing Nike products or purchases |
| Counterfeit products | Be cautious of unusually cheap “authentic” items |
For organizations
| Priority | Action |
|---|
| High | Segment intellectual property systems from general corporate networks |
| High | Monitor for unusual data exfiltration patterns |
| High | Implement DLP controls on sensitive design/manufacturing documentation |
| High | Audit third-party access to product development systems |
| Medium | Review data classification for IP vs. PII |
For retail/apparel industry
| Priority | Action |
|---|
| High | Recognize R&D systems as high-value targets |
| High | Implement monitoring on design file repositories |
| High | Review supply chain partner access controls |
| Ongoing | Update threat models beyond PII-focused scenarios |
Detection indicators
Organizations should monitor for:
| Indicator | Concern |
|---|
| Large outbound data transfers | Possible exfiltration |
| Access to archived design files | Unusual access patterns |
| After-hours file access | Non-business activity |
| Bulk file downloads | Data staging |
Context
The Nike breach exemplifies the evolution of extortion group tactics. By targeting intellectual property rather than customer data:
- No breach notifications required (no PII exposed)
- Longer useful lifespan for stolen data (designs remain valuable)
- Direct business impact (counterfeiting, competitive loss)
- Harder to quantify for legal/insurance purposes
Security programs focused primarily on protecting customer PII may miss significant IP exposure risks. Organizations with valuable intellectual property should ensure their security posture accounts for this expanded threat model.
Parallel incident: Under Armour
Nike is the second major sportswear brand breached in recent months:
| Brand | Threat actor | Date | Data type |
|---|
| Under Armour | Everest ransomware | November 2025 | Undisclosed |
| Nike | WorldLeaks | January 2026 | Intellectual property |
The targeting of multiple sportswear brands suggests attackers may be systematically pursuing this sector.
R&D investment context
The Nike breach highlights the value of research and development data:
| Factor | Impact |
|---|
| R&D spending | Nike invests billions annually in product development |
| Competitive advantage | Design IP represents years of innovation |
| Market timing | Pre-release designs enable counterfeit head starts |
| Supply chain intelligence | Manufacturing relationships are trade secrets |
Companies like Nike pour billions into R&D, and data leaks of this sort can severely hinder the competitive advantage those investments provide.
Notification requirements
Because no customer PII appears to be included in the leak:
| Requirement | Status |
|---|
| State breach notification | Likely not triggered |
| GDPR notification | May not apply (no EU personal data) |
| SEC disclosure | Under review (material impact assessment) |
| Customer notification | Not required |
This represents a gap in breach notification frameworks—significant intellectual property theft may not trigger the same disclosure requirements as PII breaches.
