A data breach at the American apparel giant Under Armour has leaked the personal information of over 72 million people following a ransomware attack.
The data breach surfaced in November 2025 after the Everest ransomware group claimed responsibility for the attack by listing Under Armour on an underground data leak site.
On January 18, the cybercrime group leaked samples on an underground hacking forum and demanded an unspecified ransom to avoid leaking the entire trove, totalling about 343 GB online.
Under Armour data breach impacts over 72 million people
Data breach tracking website Have I Been Pwned (HIBP) confirmed the data breach and assessed that it leaked the victims’ names, email addresses, dates of birth, genders, and geographic locations of 72.7 million people.
Purchase information, including product IDs, prices, quantities, store preferences, and marketing campaign logs were also exposed. This information is particularly valuable to cybercriminals for shopping scams and phishing.
Nevertheless, Under Armour believes that the number of victims whose sensitive information was compromised is very small. The company also assessed that payment processes and customer passwords were not affected. So far, Under Armour has not indicated that it plans to notify the affected customers and appears to believe the number of victims was smaller.
However, victims should take immediate steps to protect their accounts by using strong and unique passwords, enabling multifactor authentication, and being on the lookout for potential phishing scams. They should also monitor their financial accounts and credit reports for potential unauthorized activity and report any discrepancies.
Meanwhile, HIBP has contacted the impacted individuals via the leaked emails and informed them that they were the victims of a data breach. The apparel giant has launched an investigation with the assistance of third-party cyber forensic experts to determine the full extent of the data breach and the nature of the stolen information. However, the company has yet to acknowledge the data breach formally.
“It is also disheartening that Under Armour has remained silent in the face of these revelations, leaving customers unaware of whether their passwords or financial information was also stolen,” lamented John Carberry, Solution Sleuth, Xcape. “Combinations of purchase and personal information establish robust profiles that hackers can use for years even in the absence of passwords. Affected users are unsure about their exposure and next steps in the lack of official confirmation or instruction.”
Since December 2020, the Everest ransomware gang has victimized dozens of organizations, including AT&T, Dublin Airport, and Coca-Cola, leaking millions of personal records.
Under Armour sued over the Everest data breach
The American apparel giant is facing a class action lawsuit for its alleged negligent handling of personal information and the November data breach.
Class members allege that Under Armour failed to meet the minimum cybersecurity standards, making the data breach entirely preventable.
They specifically took issue with the company’s alleged failure to encrypt or redact highly sensitive information, which amounted to negligence, omission, or an utter failure to protect the plaintiffs’ personal information.
The company also allegedly failed to “properly dispose of personal information that is no longer needed” in accordance with the Federal Trade Commission’s guidelines.
They also accuse the apparel giant of failing to notify victims promptly, leaving them exposed to various forms of cyber attacks, monetary losses, emotional distress, and diminished value of personal privacy.
The lawsuit was filed by a former Maryland employee, but it seeks to represent all data breach victims across the United States. A similar class action lawsuit has been filed by a Texas plaintiff, focusing on the company’s handling of the data breach.
