Data belonging to 72.7 million Under Armour customers has surfaced on hacking forums following a ransomware attack by the Everest group. Have I Been Pwned ingested the leaked dataset and began alerting affected users on January 21, 2026.
Incident overview
| Attribute | Details |
|---|
| Victim | Under Armour (athletic apparel) |
| Attacker | Everest ransomware group |
| Data volume exfiltrated | 343 GB |
| Unique email addresses | 72,727,245 |
| Total records | 191,577,365 |
| Attack date | November 2025 |
| Leak date | January 18, 2026 |
| Company response | Silent (no acknowledgment) |
Timeline
| Date | Event |
|---|
| November 2025 | Everest compromises Under Armour systems |
| November 16, 2025 | Everest posts Under Armour on leak site with 7-day deadline |
| November 2025 | Under Armour doesn’t respond to ransom demand or media inquiries |
| January 18, 2026 | Everest member leaks full dataset on cybercrime forum |
| January 21, 2026 | Have I Been Pwned adds dataset; public disclosure |
| January 2026 | Class action lawsuits filed in Texas and Maryland |
What was exposed
Have I Been Pwned confirmed the leaked data includes:
| Data Type | Records |
|---|
| Email addresses | 72.7 million unique |
| Names | Yes |
| Dates of birth | Yes |
| Genders | Yes |
| Geographic locations | Yes |
| Purchase history | Yes |
Additional data claimed by Everest
| Data Type | Status |
|---|
| Phone numbers | Claimed |
| Physical addresses | Claimed |
| Loyalty program details | Claimed |
| Preferred store locations | Claimed |
| Customer preferences | Claimed |
The complete dataset contains 191,577,365 records, suggesting multiple records per customer (likely representing individual transactions or profile updates).
What was NOT exposed
Under Armour stated there’s no evidence that:
| Data Type | Status |
|---|
| UA.com login credentials | Not compromised |
| Payment processing systems | Not affected |
| Customer passwords | Not accessed |
| Credit card numbers | Not included |
Under Armour’s response
The company has not formally acknowledged the breach or confirmed the data’s authenticity:
| Date | Response |
|---|
| November 2025 | No response to Everest’s initial posting |
| November 2025 | No response to media inquiries |
| January 2026 | ”Aware” of claims; no confirmation |
| January 2026 | No direct customer notification |
This silence is unusual given the scale of the breach and the public availability of the data.
Legal action
Two class action lawsuits have been filed:
Texas (Orvin Ganesh v. Under Armour)
| Allegation | Details |
|---|
| Negligence | Failure to safeguard personal information |
| Damages | Ongoing monitoring costs, identity theft risk |
Maryland (Milreace Malone v. Under Armour)
| Allegation | Details |
|---|
| Inadequate security | Failure to implement reasonable data security measures |
| Encryption failures | Failure to properly encrypt sensitive information |
| Delayed notification | Failure to notify affected individuals promptly |
Under Armour is headquartered in Baltimore, Maryland.
About the Everest ransomware group
Everest has operated since December 2020 and has evolved into a sophisticated criminal enterprise:
Business model
| Activity | Description |
|---|
| Traditional ransomware | Encryption + extortion |
| Initial Access Broker (IAB) | Sells network access to other criminals |
| Data extortion | Threatens leak without encryption |
Notable previous targets
| Victim | Sector |
|---|
| Collins Aerospace | Aerospace/Defense |
| Svenska kraftnät | Swedish state power grid |
| Brazilian government | Government |
| ASUS (via supplier) | Technology |
| McDonald’s India | Fast food |
| Chrysler | Automotive |
| Iberia Airlines | Aviation |
| Multiple healthcare entities | Healthcare |
Tactics
| Tactic | Purpose |
|---|
| Short deadlines (7 days) | Maximum pressure for quick payment |
| Public leak site | Reputation damage threat |
| Forum posting | Widespread distribution if ransom unpaid |
| IAB services | Monetize access even without ransom |
Historical context
This isn’t Under Armour’s first major breach:
| Year | Incident | Records | Source |
|---|
| 2018 | MyFitnessPal breach | 150 million | Compromised subsidiary |
| 2026 | Everest ransomware | 72.7 million | Direct attack on Under Armour |
Under Armour sold MyFitnessPal in 2020. The current breach appears to target Under Armour’s own infrastructure rather than a subsidiary.
Risk assessment for affected customers
| Risk | Likelihood | Impact |
|---|
| Phishing attacks | High | Credential theft, fraud |
| Account takeover | Medium | If passwords reused |
| Identity theft | Medium | With combined PII |
| Physical targeting | Low | If addresses exposed |
| Purchase history abuse | Medium | Targeted scams |
Phishing scenarios
Attackers can use the exposed data for highly targeted phishing:
| Scenario | Data used |
|---|
| ”Order confirmation” emails | Purchase history, name |
| ”Loyalty program” scams | Loyalty details, email |
| ”Shipping notification” fraud | Address, purchase history |
| Physical mail scams | Name, address |
Recommendations for affected customers
| Priority | Action |
|---|
| Critical | Check Have I Been Pwned for your email |
| Critical | Change passwords if reused elsewhere |
| High | Enable MFA on Under Armour and linked accounts |
| High | Monitor for phishing referencing Under Armour purchases |
| Medium | Consider credit monitoring |
Watch for
| Indicator | Meaning |
|---|
| Emails referencing specific Under Armour purchases | Targeted phishing |
| ”Loyalty program” communications asking for verification | Scam attempt |
| Shipping notifications for orders you didn’t place | Fraud |
| Physical mail scams using your address | Data exploitation |
Lessons for organizations
The Under Armour breach illustrates several common retail security failures:
| Issue | Implication |
|---|
| 72 million records | Centralized database with broad access |
| 343GB exfiltration | Insufficient DLP controls |
| Silent response | Delays customer notification |
| No acknowledgment | Regulatory and legal risk |
Security recommendations
| Control | Purpose |
|---|
| Data segmentation | Limit blast radius of breaches |
| DLP implementation | Detect large-scale exfiltration |
| Exfiltration detection | Alert on unusual data transfers |
| Incident response plan | Balance business and notification needs |
| Customer communication | Timely, transparent breach disclosure |
Regulatory implications
| Jurisdiction | Requirement |
|---|
| State privacy laws | Breach notification deadlines |
| GDPR (EU customers) | 72-hour notification requirement |
| FTC | Reasonable security expectations |
| Class action exposure | Negligence, damages |
Under Armour’s silence may create additional legal and regulatory exposure beyond the lawsuits already filed.
Context
The Under Armour breach demonstrates the ongoing evolution of ransomware tactics. Everest’s dual role as ransomware operator and initial access broker means stolen data gets monetized regardless of whether victims pay. The 343GB exfiltration before the ransom demand indicates Everest prioritizes data theft alongside encryption.
For consumers, the breach underscores that retail loyalty programs and purchase history represent valuable targeting data for attackers. The combination of email addresses, purchase patterns, and personal details enables highly convincing phishing campaigns.
Retail organizations should segment customer data, implement DLP controls that detect large-scale exfiltration, and have incident response plans that balance business considerations with customer notification obligations.
