# Under Armour Acknowledges Massive Data Breach Affecting 72 Million Customers
Under Armour has stated it is **aware of data breach claims** following the public release of customer records on hacking forums, marking the company’s first official acknowledgment of the incident that has sent shockwaves through the cybersecurity and retail sectors[7]. The breach, attributed to the **Everest ransomware group**, allegedly occurred in November 2025 and exposed the personal information of approximately 72.7 million individuals[1][3].
## The Scope of the Breach
The leaked dataset is staggering in scale. A threat actor using the moniker ‘thelastwhitehat’ posted a 19.5GB dataset on an illicit marketplace, claiming it contains approximately 72,727,245 unique email addresses and a total of 191,577,365 records stolen from Under Armour[1]. According to Have I Been Pwned (HIBP), a platform that tracks data breaches, the exposed information includes far more than just email addresses[4].
The compromised data encompasses **names, dates of birth, genders, geographic locations, and purchase history**[4][5]. In some cases, the leaked records also contain phone numbers, physical addresses, loyalty program details, and preferred store information[3]. Cybernews researchers confirmed that the exposed data includes both customer and employee email addresses, as well as marketing data such as purchase history and store locations[1]. However, according to initial reports, the personally identifiable information wasn’t as extensive as feared, comprising first names, genders, and approximate locations, but notably lacking last names or full physical addresses in many records[1].
Interestingly, of the 72.7 million email addresses exposed, 76% have already appeared in previous data breaches, according to HIBP[1]. This suggests that many victims may have been compromised in prior incidents, potentially compounding their vulnerability to future attacks.
## How the Breach Unfolded
The Everest ransomware group first claimed Under Armour as a victim in November 2025, alleging they had exfiltrated 343GB of internal company data[1][2]. The group issued an extortion demand, threatening to release the stolen information unless Under Armour paid an undisclosed ransom within a seven-day deadline[1][3]. When the company failed to meet this deadline, the attackers made good on their threat, publishing the data on their dark web leak site[2].
By January 2026, the dataset had spread from the attackers’ site to underground hacking forums, where it was eventually indexed by data breach tracking platforms like DeHashed and HIBP[2]. The data appears to have been exfiltrated from multiple dashboards, resulting in varying record counts and exposed data types across the leaked files[1].
## The Real Danger: Phishing and Identity Theft
Security experts warn that the combination of email addresses with detailed personal information and purchase histories creates an ideal environment for sophisticated cyberattacks. Leaked personal information, especially when combined with purchase history details, is highly sensitive and valuable to fraudsters, enabling them to craft convincing, targeted phishing attacks against victims[1].
According to Rob Babb, Exposure Management Strategist at Seemplicity, the true impact of this breach extends far beyond the headline number of exposed emails[5]. “With a verified list tied to a real brand, attackers can use AI to craft phishing messages that reference real orders, transaction IDs, and purchase behavior, blurring the line between fraud and legitimate communication,” Babb warns[5]. The real danger, experts suggest, will likely surface weeks or months after the initial breach announcement, once public attention has waned[5].
## Legal Consequences and Class Action Lawsuits
Under Armour now faces significant legal fallout from the breach. Multiple class action lawsuits have already been filed in the United States, with plaintiff Orvin Ganesh seeking to represent a nationwide class of individuals whose personal information was compromised[6]. The lawsuit alleges that Under Armour failed to implement and maintain reasonable safeguards, comply with industry-standard data security practices, and properly train employees on data security measures and protocols[6].
The complaint specifically argues that Under Armour failed to adequately protect private information and “to even encrypt or redact” highly sensitive information[1]. Ganesh claims that Under Armour had “numerous” statutory, regulatory, contractual, and common law duties and obligations to keep individuals’ personally identifiable information confidential and securely maintained[6]. The lawsuit further contends that by implementing and maintaining reasonable safeguards and complying with standard data security practices, Under Armour could have prevented this breach[6].
## Company Response and Moving Forward
Notably, the lawsuit claims that Under Armour has not acknowledged the data breach or notified impacted individuals that their sensitive personal data has been exposed[6], though the company’s recent acknowledgment of awareness regarding the breach claims represents a shift in this position[7].
As the situation continues to develop, Under Armour customers should remain vigilant about suspicious emails and unsolicited communications that reference their purchase history or account details. The company faces a critical moment in managing both the technical aftermath of the breach and the reputational damage that comes with failing to protect millions of customers’ personal information.
Original source: TechCrunch – Under Armour says it’s ‘aware’ of data breach claims after 72M customer records were posted online

Leave a Reply