Ransomware Groups Claim Data-Theft Attacks Against Major Sportswear Brands
Under Armour customer data tied to an Everest ransomware intrusion was added to Have I Been Pwned, including ~72 million email addresses and additional fields such as names, birthdates, gender, purchase details, and location information. Reporting notes Everest previously claimed theft of 343 GB from Under Armour and threatened public release if negotiations did not occur; commentary also highlighted the downstream risk of exposed data enabling targeted phishing and social engineering, and described Everest as expanding beyond encryption into initial access brokering using remote access tools and weak credentials.
Separately, Nike was listed by the WorldLeaks ransomware/extortion group on its darknet leak site, with the actor claiming data exfiltration and threatening to publish stolen data. Nike publicly stated it is investigating a potential cybersecurity incident, while the attacker’s post provided limited verifiable detail and the total volume of data remains unconfirmed; the report alleged exposure could include internal documentation and customer/employee information, and described WorldLeaks as an extortion-only rebrand of Hunters International focused on data theft rather than file encryption.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Nike acknowledges allegation and opens investigation
Nike said it was aware of the claims and began investigating a potential cybersecurity incident, stating it was actively assessing the situation with attention to consumer privacy and data security. The company did not confirm the attackers’ claims or disclose whether customer or employee data was affected.
World Leaks publishes alleged Nike data samples
By January 24, 2026, World Leaks had published Nike data on its leak site, including samples tied to what it said was a 1.4 TB haul. Filenames and directories reportedly suggested the material related mainly to internal design, manufacturing, and supply-chain workflows.
Have I Been Pwned adds 72 million Under Armour emails
Millions of email addresses allegedly stolen from Under Armour were added to the Have I Been Pwned breach-notification service, with reporting putting the total at about 72 million. The appearance of the dataset prompted Under Armour to investigate the breach.
World Leaks claims Nike breach and sets leak deadline
On January 22, 2026, World Leaks listed Nike as a victim, claimed it had breached the company and exfiltrated data the same day, and said it would publish the stolen data on January 25 at 6 PM GMT. One report cited alleged impact figures including 481,183 compromised users, 220 employees, and 444 third-party employee credentials, though these claims were unconfirmed.
Everest claims November breach of Under Armour
In November 2025, the Everest ransomware gang reportedly stole data from Under Armour, later claiming it had exfiltrated 343 GB and threatening to leak the information if the company did not negotiate. Reported exposed data included customer and personal information.
World Leaks rebrands from Hunters International
The extortion-focused group World Leaks emerged as a rebrand of Hunters International in January 2025, shifting emphasis from encryption-based ransomware to data theft and leak extortion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Nike investigates data breach after extortion gang leaks files
bleepingcomputer.com
Open sourceNike probes potential cyber incident after hackers claim data leak | The Record from Recorded Future News
therecord.media
Open sourceAlleged WorldLeaks breach of Nike under probe | SC Media
scworld.com
Open sourceData thieves claim they stole 1.4 TB from Nike and • The Register
go.theregister.com
Open sourceMillions of stolen Under Armour customer emails added to Have I Been Pwned | SC Media
scworld.com
Open sourceNike Allegedly Hacked by WorldLeaks Ransomware Group
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Under Armour Investigates Everest Ransomware Data Leak Affecting 72M Customers
Under Armour said it is investigating claims that an unauthorized party obtained customer data after a dataset tied to the company was posted to a hacker forum and subsequently ingested by breach-notification services. **Have I Been Pwned** reported obtaining a copy of the data and notifying roughly **72 million** individuals; the exposed information reportedly includes names, email addresses, gender, date of birth, approximate location (postcode/ZIP-derived), and purchase-related data, and also contains numerous Under Armour employee email addresses. Under Armour stated there is currently **no evidence** the incident affected *UA.com* or systems used to process payments or store customer passwords, while noting that the portion of customers with “sensitive” information impacted is believed to be small. Multiple reports tie the leak to a **November 2025** intrusion claimed by the **Everest** ransomware group, which alleged Under Armour failed to meet a negotiation deadline and that the data was then published and redistributed across forums and leak sites. One account describes the theft as involving **343 GB** of company data and indicates the forum-posted dataset includes **72 million email addresses** plus additional PII and purchase information; another report cites a much larger dataset claim (over **191 million records** with ~**72.7 million** unique email addresses) and notes a US class action lawsuit alleging negligence and large-scale exfiltration, including potential employee data. Reporting also reiterates Everest’s typical tradecraft, including credential-based access and use of remote access tooling (e.g., *AnyDesk*, *Splashtop*), though Under Armour has not publicly confirmed the intrusion vector or the full scope of data exfiltration.
Mar 21, 2026
Everest Ransomware Extortion Claims Target McDonald’s India and Under Armour
The **Everest** ransomware group publicly claimed two separate victim intrusions, alleging large-scale data theft and using leak-site pressure tactics. Everest posted that it breached **McDonald’s India**, claiming exfiltration of **861 GB** of customer data and internal documents and sharing screenshots purportedly showing financial reports, audit trails, pricing data, internal communications, and month-by-month directories suggestive of access to accounting/ERP systems. The leak claim also referenced a “Contact Database” spreadsheet with personal and business details of investors/partners across multiple countries and store-level operational data (e.g., manager names and contact numbers), alongside a short deadline for the company to respond. Separately, **Have I Been Pwned (HIBP)** reported ingesting files allegedly leaked by an Everest member that impacted **72.7 million Under Armour accounts**, with exposed fields including names, email addresses, dates of birth, gender, location, and purchase-related details; Everest additionally claimed other data types (e.g., phone numbers, addresses, loyalty details) and had previously threatened publication unless a ransom was paid. Under Armour had not publicly acknowledged the alleged incident at the time of reporting, and a proposed class action lawsuit was filed following Everest’s initial leak-site posting. A third report about **RansomHub** claiming an intrusion at Apple partner **Luxshare** describes a different ransomware operation and does not appear connected to the Everest claims.
Mar 21, 2026
Nike Investigates Alleged Data Theft and Extortion by WorldLeaks
Nike said it is investigating a potential cybersecurity incident after the **WorldLeaks** extortion group claimed it accessed Nike systems and stole data. WorldLeaks added Nike to its Tor leak site and subsequently published what it described as **~1.4 TB** of data (roughly **188k files**), using the leak to pressure the company. Nike stated it is actively assessing the situation and emphasized consumer privacy and data security. Reporting characterized WorldLeaks as an extortion-focused operation that shifted away from ransomware-style encryption to **data theft and leak-based coercion**, and noted it emerged after rebranding from **Hunters International** amid increased law-enforcement pressure. Separate from the Nike matter, Morphisec reported an unrelated **eScan antivirus supply-chain compromise** in which malicious updates were distributed via legitimate update infrastructure, deploying multi-stage malware and blocking remote remediation by tampering with the Windows `hosts` file and eScan registry settings; this incident requires manual vendor-assisted remediation for affected endpoints.
Mar 21, 2026