Under Armour Investigates Everest Ransomware Data Leak Affecting 72M Customers
Under Armour said it is investigating claims that an unauthorized party obtained customer data after a dataset tied to the company was posted to a hacker forum and subsequently ingested by breach-notification services. Have I Been Pwned reported obtaining a copy of the data and notifying roughly 72 million individuals; the exposed information reportedly includes names, email addresses, gender, date of birth, approximate location (postcode/ZIP-derived), and purchase-related data, and also contains numerous Under Armour employee email addresses. Under Armour stated there is currently no evidence the incident affected UA.com or systems used to process payments or store customer passwords, while noting that the portion of customers with “sensitive” information impacted is believed to be small.
Multiple reports tie the leak to a November 2025 intrusion claimed by the Everest ransomware group, which alleged Under Armour failed to meet a negotiation deadline and that the data was then published and redistributed across forums and leak sites. One account describes the theft as involving 343 GB of company data and indicates the forum-posted dataset includes 72 million email addresses plus additional PII and purchase information; another report cites a much larger dataset claim (over 191 million records with ~72.7 million unique email addresses) and notes a US class action lawsuit alleging negligence and large-scale exfiltration, including potential employee data. Reporting also reiterates Everest’s typical tradecraft, including credential-based access and use of remote access tooling (e.g., AnyDesk, Splashtop), though Under Armour has not publicly confirmed the intrusion vector or the full scope of data exfiltration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Under Armour says it is investigating breach claims
On January 22, 2026, Under Armour said it was aware of the claims and was investigating with external cybersecurity experts. The company said it had no evidence that payment-processing systems or customer password systems were affected and disputed claims that tens of millions of sensitive records were compromised.
Have I Been Pwned indexes the breach and notifies victims
On January 21, 2026, Have I Been Pwned reported that the leaked Under Armour dataset had been published publicly and began sending breach notifications to about 72 million affected individuals.
Stolen Under Armour data is posted publicly online
In January 2026, data allegedly stolen from Under Armour was published on a hacking forum after Everest said the company missed its response deadline. Reports said the leak contained roughly 72 million unique email addresses and extensive customer and some employee information.
Class action lawsuits are filed over the alleged breach
In December 2025, lawsuits were filed in U.S. federal courts, including in Maryland and Texas, alleging Under Armour failed to adequately protect data and was negligent in connection with the November 2025 incident.
Everest claims November 2025 breach of Under Armour
In November 2025, the Everest ransomware group allegedly breached Under Armour, claimed to have stolen about 343 GB of internal and customer data, and listed the company on its leak site as part of a double-extortion attempt.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Under Armour Customer Data Breach 2025: Technical Analysis of Everest Ransomware Attack and Exposed Email Addresses
rescana.com
Open sourceUnder Armour Unfaces a Data Breach - TheCyberThrone
thecyberthrone.in
Open sourceInvestigation underway after 72M Under Armour records surface online
securityaffairs.com
Open sourceUnder Armour says it's 'aware' of data breach claims after 72M customer records were posted online | TechCrunch
techcrunch.com
Open sourceUnder Armour Ransomware Attack Exposes 72M Email Addresses - TechRepublic
techrepublic.com
Open sourceUnder Armour ransomware breach: data of 72 million customers appears on the dark web | Malwarebytes
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Groups Claim Data-Theft Attacks Against Major Sportswear Brands
**Under Armour** customer data tied to an **Everest** ransomware intrusion was added to *Have I Been Pwned*, including **~72 million email addresses** and additional fields such as names, birthdates, gender, purchase details, and location information. Reporting notes Everest previously claimed theft of **343 GB** from Under Armour and threatened public release if negotiations did not occur; commentary also highlighted the downstream risk of exposed data enabling targeted phishing and social engineering, and described Everest as expanding beyond encryption into **initial access brokering** using remote access tools and weak credentials. Separately, **Nike** was listed by the **WorldLeaks** ransomware/extortion group on its darknet leak site, with the actor claiming data exfiltration and threatening to publish stolen data. Nike publicly stated it is **investigating a potential cybersecurity incident**, while the attacker’s post provided limited verifiable detail and the total volume of data remains unconfirmed; the report alleged exposure could include internal documentation and customer/employee information, and described WorldLeaks as an **extortion-only** rebrand of *Hunters International* focused on data theft rather than file encryption.
Mar 21, 2026
Everest Ransomware Extortion Claims Target McDonald’s India and Under Armour
The **Everest** ransomware group publicly claimed two separate victim intrusions, alleging large-scale data theft and using leak-site pressure tactics. Everest posted that it breached **McDonald’s India**, claiming exfiltration of **861 GB** of customer data and internal documents and sharing screenshots purportedly showing financial reports, audit trails, pricing data, internal communications, and month-by-month directories suggestive of access to accounting/ERP systems. The leak claim also referenced a “Contact Database” spreadsheet with personal and business details of investors/partners across multiple countries and store-level operational data (e.g., manager names and contact numbers), alongside a short deadline for the company to respond. Separately, **Have I Been Pwned (HIBP)** reported ingesting files allegedly leaked by an Everest member that impacted **72.7 million Under Armour accounts**, with exposed fields including names, email addresses, dates of birth, gender, location, and purchase-related details; Everest additionally claimed other data types (e.g., phone numbers, addresses, loyalty details) and had previously threatened publication unless a ransom was paid. Under Armour had not publicly acknowledged the alleged incident at the time of reporting, and a proposed class action lawsuit was filed following Everest’s initial leak-site posting. A third report about **RansomHub** claiming an intrusion at Apple partner **Luxshare** describes a different ransomware operation and does not appear connected to the Everest claims.
Mar 21, 2026
Ultrahuman Breach Exposed Customer Wellness Data Through Stolen Employee Credentials
Ultrahuman disclosed that attackers accessed customer wellness data after using credentials stolen from an employee whose laptop was infected with malware. The intrusion targeted an internal analytics system on March 27, and the company said it detected the activity within hours, took the affected system offline, and revoked access. Ultrahuman said the attackers had **read-only** access and that passwords, payment information, production systems, and Ultrahuman Ring devices were not compromised. The company said about **0.1%** of users were affected, which based on its previously reported user base could amount to at least **700 customers**. Ultrahuman has begun notifying impacted users and regulators after completing an audit of the incident’s scope, but it has not confirmed whether any data was exfiltrated or specified exactly which wellness data was accessed.
Jun 4, 2026