Under Armour investigates 72M customer data breach after hacker forum leak

A thief doesn't need your password if they have your name, email, and what you bought.
Why the Under Armour breach is dangerous even without stolen credit card numbers or passwords.

In the closing months of 2025, the Everest ransomware group forced its way into Under Armour's systems and, when the company refused to pay, released the spoils into the open internet — exposing the personal records of roughly 72 million customers. The breach is a reminder that in the digital age, a single act of corporate defiance can ripple outward into millions of private lives, long after the original confrontation has ended. What was stolen was not merely data, but the raw material from which deception is crafted: names, birthdates, purchase histories, and the quiet details that make a stranger sound like someone you trust.

  • The Everest ransomware group breached Under Armour in November 2025 and, after the company refused to pay, dumped 72 million customer records onto a public hacker forum two months later.
  • The exposed data — names, email addresses, birthdates, ZIP codes, and purchase histories — is enough to build convincing, personalized phishing attacks even without passwords or payment card numbers.
  • Employee email addresses were also compromised, raising the threat of business email compromise scams that could extend the damage well beyond the customer base.
  • Under Armour has engaged external cybersecurity firms and confirmed payment systems and passwords appear untouched, but the investigation remains open and the data is already circulating.
  • Affected users are urged to enable two-factor authentication, change reused passwords, verify their exposure through Have I Been Pwned, and treat any incoming messages referencing purchases or accounts with sharp suspicion.

In November 2025, the Everest ransomware group broke into Under Armour's systems and demanded payment to keep stolen files private. The company refused. Two months later, the data surfaced on a public hacker forum, and the breach notification service Have I Been Pwned began alerting the approximately 72 million customers whose email addresses, names, birthdates, gender information, ZIP codes, and purchase histories had been exposed.

Under Armour moved to contain the fallout, stating that payment systems and customer passwords appeared unaffected and that its main website remained operational. External cybersecurity firms were brought in to assist the ongoing investigation. But the company did not dispute the scale of what had leaked — or the fact that an unauthorized party had obtained it.

The deeper danger is not what was taken, but what can be built from it. Criminals armed with a customer's name, email, birthdate, and purchase history can craft phishing messages that feel personal and credible — referencing a recent order or a fitness goal before steering the victim toward a malicious link. Employee email addresses were also exposed, opening a secondary front of risk through business email compromise scams. Over time, this data can be merged with records from other breaches to construct identity profiles that are far harder to defend against.

For those affected, the path forward is clear if not easy. Reused passwords should be changed immediately, ideally through a password manager. Two-factor authentication should be activated on email and financial accounts first. Incoming messages that reference purchases or demand urgent account action should be treated as suspect — legitimate companies do not operate that way. Users can check their exposure directly at Have I Been Pwned.

The longer arc of the threat is harder to contain. Stolen personal data often flows to data brokers and resurfaces in new scams for years. Data removal services offer partial relief but no guarantees. What the Under Armour breach makes plain is that the harm from a ransomware attack does not end when the breach is discovered — it unfolds slowly, in the inboxes and accounts of millions of ordinary people who had no part in the original confrontation.

In November 2025, the Everest ransomware group breached Under Armour's systems and demanded payment in exchange for not releasing internal files. The company refused. Two months later, in January 2026, customer data from that attack surfaced on a public hacker forum. Within days, the breach notification service Have I Been Pwned obtained a copy of the stolen records and began alerting affected users by email. The scope was staggering: approximately 72 million customer email addresses had been compromised, along with names, birthdates, gender information, ZIP codes, and purchase histories.

Under Armour moved quickly to contain the damage, issuing a statement that its investigation was ongoing with help from external cybersecurity firms. The company emphasized that payment processing systems and customer passwords appeared untouched, and that the breach did not affect its main website or payment infrastructure. Still, the company acknowledged that an unauthorized third party had obtained certain data. What Under Armour did not dispute was the scale of the exposure or the nature of the information that had leaked.

The real danger lies not in what was stolen, but in how it can be weaponized. Cybercriminals do not need credit card numbers to cause serious harm. A thief armed with a customer's name, email address, birthdate, and purchase history can craft a phishing email that feels authentic and urgent. They might reference a recent order or a fitness goal the customer had mentioned in their purchase history, building false credibility before asking the victim to click a link or download an attachment. Over time, this exposed data can be merged with information from other breaches to build detailed identity profiles that are far more difficult to defend against.

The breach also exposed email addresses belonging to Under Armour employees, creating a secondary risk. Corporate email addresses are prime targets for phishing and business email compromise scams, where attackers impersonate trusted contacts to steal money or access sensitive systems. The employee exposure could have ripple effects beyond the customer base.

For the 72 million affected users, the immediate steps are straightforward but essential. Anyone who reused the same password across multiple sites should change those passwords immediately, ideally using a password manager to generate and store unique credentials for each account. The Have I Been Pwned website allows users to enter their email address and confirm whether their information appears in the leaked dataset. Two-factor authentication should be enabled on email accounts first, then on shopping, fitness, and financial accounts—adding a second verification step that prevents account takeover even if a password is compromised.

Vigilance around incoming messages is critical. Phishing emails tied to this breach will likely arrive in the coming weeks and months, some appearing to come from Under Armour or other fitness brands. Messages claiming there is a problem with an account or a recent purchase should be treated with suspicion. Legitimate companies do not demand immediate action via email or text. Instead of clicking links in unsolicited messages, users should navigate directly to the official website to check their accounts.

Beyond these immediate precautions, the longer-term risk is harder to manage. Exposed personal data often ends up with data brokers who collect and sell detailed profiles to scammers and other bad actors. Data removal services can help by requesting deletion from hundreds of websites and monitoring for reappearance, though no service can guarantee complete removal from the internet. The cost of such services is real, but so is the value of limiting what information is publicly available about you.

The Under Armour breach is a reminder that even large, well-resourced companies are targets for sophisticated attacks. What begins as a ransomware extortion attempt can evolve into a long-term threat to millions of people. The damage does not end when the breach is discovered—it unfolds over months and years as stolen data is weaponized in new ways. Staying alert now, taking defensive action today, and monitoring accounts going forward can significantly reduce the risk of becoming a victim later.

Our investigation of this issue, with the assistance of external cybersecurity experts, is ongoing. Importantly, at this time, there's no evidence to suggest this issue affected UA.com or systems used to process payments or store customer passwords.
— Under Armour spokesperson
A Conversa do Hearth Outra perspectiva sobre a história
Inventor

So the Everest group breached Under Armour in November, but the data didn't surface until January. What happened in those two months?

Model

The attackers were likely trying to extort the company first. When Under Armour refused to pay, they sold the data to someone else or posted it themselves. The delay between the breach and the public leak is actually pretty common—it gives the attackers time to monetize the data in different ways.

Inventor

Under Armour says passwords weren't compromised. Does that mean customers are actually safe?

Model

Not really. A thief doesn't need your password if they have your name, email, birthdate, and what you bought. They can use that to craft a phishing email that feels personal and urgent. You're more likely to click a link if it references something real about you.

Inventor

Why does it matter that employee emails were also exposed?

Model

Employee emails are gold for attackers. They can use them to impersonate trusted people inside the company, or they can target those employees directly with spear-phishing attacks that look like they're coming from colleagues or vendors. It's a way to get deeper into the organization.

Inventor

The article mentions combining this breach with other breaches. How does that work?

Model

Imagine an attacker has your Under Armour data from this breach, plus your Target data from a previous breach, plus your LinkedIn profile. They can cross-reference all of it to build a detailed picture of who you are, what you care about, where you live, and what you buy. That makes their scams much more convincing and harder to spot.

Inventor

Is there anything a person can actually do to make themselves harder to target?

Model

Yes. Two-factor authentication stops most account takeovers immediately. Unique passwords for each site means one breach doesn't unlock everything. And being skeptical of any message that pressures you to act fast—that's the oldest trick in the book, and it still works because people are busy and trust is a powerful thing.

Quer a matéria completa? Leia o original em Fox News ↗
Fale Conosco FAQ