Ransomware Retail / Consumer · United States · January 2026

Under Armour

Analysis of the Under Armour data breach with 72 million customer records allegedly leaked by the Everest ransomware group after a failed extortion attempt.

Records Affected

72 million email addresses; 191 million total records

Attack Type

Ransomware

Location

United States

Data types exposed

Names email addresses dates of birth genders geographic locations purchase history loyalty programme details

What Happened

In November 2025, the Everest ransomware group listed Under Armour as a victim, claiming to have stolen 343GB of company data. After the company reportedly failed to respond by the ransom deadline, the data was published on January 18, 2026.
On January 21, Have I Been Pwned obtained a copy and began alerting 72 million affected email addresses. The leaked dataset reportedly contains names, email addresses, genders, dates of birth, locations, and purchase information.
Under Armour has stated it has no evidence that UA.com or payment systems were compromised. Multiple class-action lawsuits have been filed. This is Under Armour's second major breach after the 2018 MyFitnessPal incident affecting 150 million accounts.

Timeline

  • November 2025 — Everest ransomware group claims to have gained access to Under Armour systems
  • November 2025 — Ransom demand reportedly issued to Under Armour
  • January 18, 2026 — Data published by Everest group (claimed 343GB) after ransom deadline passes
  • January 21, 2026 — Have I Been Pwned lists 72 million affected email addresses
  • January 22, 2026 — Under Armour issues public statement acknowledging breach claims
  • Early 2026 — Multiple class-action lawsuits filed against Under Armour

Threat Actor Profile

Everest is a Russian-speaking ransomware group that emerged in December 2020. The group operates a hybrid model combining ransomware deployment with initial access brokerage (IAB), selling network access to other threat actors.
Everest has been ranked as a 'high threat' group by multiple cybersecurity firms and has targeted organisations across retail, healthcare, and government sectors.

Impact and Risk Assessment

For Individuals

72 million unique email addresses were exposed alongside personal details including dates of birth, genders, and geographic locations.
Purchase history and loyalty programme data can be used for targeted phishing campaigns impersonating Under Armour or its partners.
Individuals who reused passwords across services face credential-stuffing risk if any associated credentials were included in the broader dataset.

For Organisations

Under Armour faces multiple class-action lawsuits and reputational damage compounded by this being their second major breach.
Partner organisations and retailers in Under Armour's ecosystem may face increased phishing targeting their shared customer base.

Regulatory Context

Multiple US states have data breach notification requirements that apply to the exposed data categories. Class-action lawsuits may test the adequacy of Under Armour's security measures.
The recurrence of a major breach raises questions about whether remediation efforts following the 2018 MyFitnessPal incident were sufficient.

What Should You Do?

For Individuals

  • Check Have I Been Pwned to determine if your email address was included in this breach.
  • Change your Under Armour account password and any other accounts where you may have reused the same credentials.
  • Be wary of phishing emails impersonating Under Armour, particularly those referencing purchases or loyalty rewards.

For Security Professionals

  • Review whether your organisation shares customer data with Under Armour or its platforms and assess downstream exposure.
  • Use this incident as a case study for board-level discussions on the reputational cost of repeat breaches and the importance of sustained security investment.

Learnings and Recommendations

Customer databases are high-value targets regardless of whether they contain payment data. The combination of names, emails, purchase history, and demographics has significant value for social engineering operations.
This is Under Armour's second major data breach, raising questions about whether the organisation meaningfully invested in its security posture between the two events.

References

[1] TechCrunch - Under Armour data breach claims — https://techcrunch.com/2026/01/22/under-armour-says-its-aware-of-data-breach-claims-after-72m-customer-records-were-posted-online/
[2] Malwarebytes - Under Armour ransomware breach — https://www.malwarebytes.com/blog/news/2026/01/under-armour-ransomware-breach-data-of-72-million-customers-appears-on-the-dark-web
[3] Have I Been Pwned - Under Armour breach listing — https://haveibeenpwned.com/breach/UnderArmour

Source

https://techcrunch.com/2026/01/22/under-armour-says-its-aware-of-data-breach-claims-after-72m-customer-records-were-posted-online/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories