What Happened
In February 2026, it was reported that 815,000 rows of data from an unnamed Adidas licensing partner had been exposed. The data includes names, emails, passwords, birthdays, and company details.
Although the number of unique accounts is small (approximately 130), the exposure of plaintext passwords for business accounts is particularly concerning.
Timeline
- February 2026 — Data from Adidas licensing partner reported exposed
Impact and Risk Assessment
For Individuals
Approximately 130 business account holders had their credentials exposed in plaintext, enabling immediate account takeover if passwords were reused elsewhere.
For Organisations
Exposed business credentials could provide attackers with a foothold into Adidas's partner ecosystem for further supply chain attacks.
The discovery of plaintext password storage indicates fundamental security deficiencies at the licensing partner.
Regulatory Context
Plaintext password storage violates basic security standards under GDPR and most data protection frameworks. Regulatory action may follow if the partner is identified.
What Should You Do?
For Individuals
- If you have business accounts with Adidas licensing partners, change your password immediately and ensure you are not reusing it elsewhere.
For Security Professionals
- Audit your vendor ecosystem for plaintext password storage. This is an unacceptable security practice that should be a disqualifying finding in any vendor assessment.
- Supply chain breaches through licensing and business partners can expose corporate credentials. Ensure your third-party risk management programme covers all partner types.
Learnings and Recommendations
Supply chain breaches through licensing and business partners can expose corporate credentials. Even a small number of compromised business accounts can provide a foothold for further attacks.
Plaintext password storage in any system is an unacceptable security practice that organisations should audit across their entire vendor ecosystem.