WorldLeaks Extortion Group Claims Theft and Leak of 1.4TB of Nike Corporate Data
Nike is investigating a potential cybersecurity incident after the extortion group WorldLeaks claimed it exfiltrated and published more than 1.4TB of data from Nike’s internal systems. Reporting indicates the leak contains roughly 188,347–190,000 files, and that WorldLeaks posted Nike on its leak site with a countdown timer that expired around Jan. 25–26 (GMT), after which the group released what was described as a “full-on data dump.” Nike confirmed it is assessing the situation and emphasized consumer privacy and data security, but did not confirm the breach scope, the intrusion vector, or whether any customer data was impacted.
The leaked material is described as primarily highly sensitive corporate and operational data, including R&D and manufacturing information such as design assets (e.g., tech packs, prototypes, schematics) and supply-chain details (e.g., factory audits, partner information, production workflows), along with internal presentations and training materials. Both accounts note speculation that the intrusion may have involved a third-party/supply-chain exposure, though this remains unconfirmed. WorldLeaks is characterized as an extortion-focused operation that publicly pressures victims via data-leak threats, and is reported to have emerged as a successor/rebrand of Hunters International, shifting emphasis from encryption to data theft and publication.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers report no evidence of exposed consumer PII in the leak
Threat intelligence group JustaBreach said its review of the leaked files found no evidence of personally identifiable information such as email or payment data. The assessment instead emphasized exposure of sensitive corporate and operational information.
Nike says it is investigating a potential cybersecurity incident
After the leak became public, Nike stated that it was investigating or actively assessing a potential cybersecurity incident. The company did not disclose the full scope or any ransom-related details.
Ransom deadline expires and Nike data is dumped
Around January 25-26, 2026, WorldLeaks allegedly let the deadline lapse and published a large dataset said to contain more than 1.4TB and about 188,347 files from Nike. The leaked material reportedly spans 2020-2026 and includes R&D, product design, and supply-chain/manufacturing documents.
WorldLeaks posts Nike on its leak site with ransom countdown
WorldLeaks reportedly listed Nike on its dark web leak site and set a ransom deadline before public release of the stolen data. The group is described as an extortion-focused successor or rebrand of Hunters International.
Intrusion into Nike reportedly begins
One reference says the compromise of Nike's environment or related systems dates back to January 2025, though the exact intrusion vector and scope were not confirmed by Nike.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Nike’s Data Breach: WorldLeaks Strikes the Sportswear Giant - TheCyberThrone
thecyberthrone.in
Open sourceWorldLeaks Extortion Group Claims It Stole 1.4TB of Nike Data
darkreading.com
Open sourceWorldLeaks Extortion Group Claims It Stole 1.4TB of Nike Data
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Nike Investigates Alleged Data Theft and Extortion by WorldLeaks
Nike said it is investigating a potential cybersecurity incident after the **WorldLeaks** extortion group claimed it accessed Nike systems and stole data. WorldLeaks added Nike to its Tor leak site and subsequently published what it described as **~1.4 TB** of data (roughly **188k files**), using the leak to pressure the company. Nike stated it is actively assessing the situation and emphasized consumer privacy and data security. Reporting characterized WorldLeaks as an extortion-focused operation that shifted away from ransomware-style encryption to **data theft and leak-based coercion**, and noted it emerged after rebranding from **Hunters International** amid increased law-enforcement pressure. Separate from the Nike matter, Morphisec reported an unrelated **eScan antivirus supply-chain compromise** in which malicious updates were distributed via legitimate update infrastructure, deploying multi-stage malware and blocking remote remediation by tampering with the Windows `hosts` file and eScan registry settings; this incident requires manual vendor-assisted remediation for affected endpoints.
Mar 21, 2026
Ransomware Groups Claim Data-Theft Attacks Against Major Sportswear Brands
**Under Armour** customer data tied to an **Everest** ransomware intrusion was added to *Have I Been Pwned*, including **~72 million email addresses** and additional fields such as names, birthdates, gender, purchase details, and location information. Reporting notes Everest previously claimed theft of **343 GB** from Under Armour and threatened public release if negotiations did not occur; commentary also highlighted the downstream risk of exposed data enabling targeted phishing and social engineering, and described Everest as expanding beyond encryption into **initial access brokering** using remote access tools and weak credentials. Separately, **Nike** was listed by the **WorldLeaks** ransomware/extortion group on its darknet leak site, with the actor claiming data exfiltration and threatening to publish stolen data. Nike publicly stated it is **investigating a potential cybersecurity incident**, while the attacker’s post provided limited verifiable detail and the total volume of data remains unconfirmed; the report alleged exposure could include internal documentation and customer/employee information, and described WorldLeaks as an **extortion-only** rebrand of *Hunters International* focused on data theft rather than file encryption.
Mar 21, 2026
Adidas Investigates Alleged Third-Party Data Breach Claimed by Lapsus$
**Adidas** confirmed it is investigating an alleged data breach tied to one of its independent licensing partners/third-party customer service providers after a threat actor claiming affiliation with **Lapsus$** posted on *BreachForums* that they compromised Adidas’ extranet and stole a dataset described as **815,000 rows**. The purported data includes names, email addresses, passwords, birthdates, company names, and other technical information; Adidas said it has **no evidence** its core IT infrastructure, e-commerce platforms, or consumer/customer data were impacted, and key details remain unverified while the investigation continues. Reporting also linked the claim to the broader **Scattered Lapsus$ Hunters** ecosystem (associated in coverage with social-engineering-driven intrusions), and noted Adidas has faced prior third-party exposure: in **May 2025**, Adidas notified customers that some data was stolen following unauthorized access to an external provider’s system. Separately, **ShinyHunters** claimed a different intrusion against **CarGurus** involving alleged theft of 1.7 million corporate files via voice-phished single sign-on codes; that incident is distinct from the Adidas/Lapsus$ allegation.
Mar 21, 2026