Nike Investigates Alleged Data Theft and Extortion by WorldLeaks
Nike said it is investigating a potential cybersecurity incident after the WorldLeaks extortion group claimed it accessed Nike systems and stole data. WorldLeaks added Nike to its Tor leak site and subsequently published what it described as ~1.4 TB of data (roughly 188k files), using the leak to pressure the company. Nike stated it is actively assessing the situation and emphasized consumer privacy and data security.
Reporting characterized WorldLeaks as an extortion-focused operation that shifted away from ransomware-style encryption to data theft and leak-based coercion, and noted it emerged after rebranding from Hunters International amid increased law-enforcement pressure. Separate from the Nike matter, Morphisec reported an unrelated eScan antivirus supply-chain compromise in which malicious updates were distributed via legitimate update infrastructure, deploying multi-stage malware and blocking remote remediation by tampering with the Windows hosts file and eScan registry settings; this incident requires manual vendor-assisted remediation for affected endpoints.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Nike says it is investigating the claimed cyber incident
Nike stated that it was investigating a potential cybersecurity incident after WorldLeaks' claims and alleged data publication. The company said it was assessing the situation to verify the claims, determine any impact, and protect consumer privacy and data security.
WorldLeaks publishes alleged 1.4TB of Nike data
WorldLeaks escalated its claim by publishing what it said was 1.4TB of data stolen from Nike. The release increased the apparent severity of the incident from a claim to an alleged data leak.
WorldLeaks adds Nike to its leak site
The extortion group WorldLeaks listed Nike on its Tor-based leak site, claiming it had accessed and stolen data from the company. This appears to be the first public indication of the alleged incident.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WorldLeaks Extortion Group Claims Theft and Leak of 1.4TB of Nike Corporate Data
Nike is investigating a **potential cybersecurity incident** after the extortion group **WorldLeaks** claimed it exfiltrated and published more than **1.4TB** of data from Nike’s internal systems. Reporting indicates the leak contains roughly **188,347–190,000 files**, and that WorldLeaks posted Nike on its leak site with a countdown timer that expired around **Jan. 25–26 (GMT)**, after which the group released what was described as a “full-on data dump.” Nike confirmed it is assessing the situation and emphasized consumer privacy and data security, but did not confirm the breach scope, the intrusion vector, or whether any customer data was impacted. The leaked material is described as primarily **highly sensitive corporate and operational data**, including R&D and manufacturing information such as design assets (e.g., tech packs, prototypes, schematics) and supply-chain details (e.g., factory audits, partner information, production workflows), along with internal presentations and training materials. Both accounts note speculation that the intrusion may have involved a **third-party/supply-chain exposure**, though this remains unconfirmed. WorldLeaks is characterized as an extortion-focused operation that publicly pressures victims via data-leak threats, and is reported to have emerged as a successor/rebrand of **Hunters International**, shifting emphasis from encryption to **data theft and publication**.
Mar 21, 2026
Ransomware Groups Claim Data-Theft Attacks Against Major Sportswear Brands
**Under Armour** customer data tied to an **Everest** ransomware intrusion was added to *Have I Been Pwned*, including **~72 million email addresses** and additional fields such as names, birthdates, gender, purchase details, and location information. Reporting notes Everest previously claimed theft of **343 GB** from Under Armour and threatened public release if negotiations did not occur; commentary also highlighted the downstream risk of exposed data enabling targeted phishing and social engineering, and described Everest as expanding beyond encryption into **initial access brokering** using remote access tools and weak credentials. Separately, **Nike** was listed by the **WorldLeaks** ransomware/extortion group on its darknet leak site, with the actor claiming data exfiltration and threatening to publish stolen data. Nike publicly stated it is **investigating a potential cybersecurity incident**, while the attacker’s post provided limited verifiable detail and the total volume of data remains unconfirmed; the report alleged exposure could include internal documentation and customer/employee information, and described WorldLeaks as an **extortion-only** rebrand of *Hunters International* focused on data theft rather than file encryption.
Mar 21, 2026
Adidas Investigates Alleged Third-Party Data Breach Claimed by Lapsus$
**Adidas** confirmed it is investigating an alleged data breach tied to one of its independent licensing partners/third-party customer service providers after a threat actor claiming affiliation with **Lapsus$** posted on *BreachForums* that they compromised Adidas’ extranet and stole a dataset described as **815,000 rows**. The purported data includes names, email addresses, passwords, birthdates, company names, and other technical information; Adidas said it has **no evidence** its core IT infrastructure, e-commerce platforms, or consumer/customer data were impacted, and key details remain unverified while the investigation continues. Reporting also linked the claim to the broader **Scattered Lapsus$ Hunters** ecosystem (associated in coverage with social-engineering-driven intrusions), and noted Adidas has faced prior third-party exposure: in **May 2025**, Adidas notified customers that some data was stolen following unauthorized access to an external provider’s system. Separately, **ShinyHunters** claimed a different intrusion against **CarGurus** involving alleged theft of 1.7 million corporate files via voice-phished single sign-on codes; that incident is distinct from the Adidas/Lapsus$ allegation.
Mar 21, 2026