Cyber Incident Victim: Under Armour

In late January 2026, Under Armour confirmed it was investigating claims of a data breach after a cybercriminal advertised 72 million customer records for sale on a hacker forum. The seller attributed the data theft to a November 2025 intrusion, which the Everest ransomware gang had previously claimed responsibility for on its dark web leak site. Public awareness of the breach escalated when Have I Been Pwned obtained and analyzed the dataset, subsequently notifying impacted individuals via email. The compromised records contained names, email addresses, genders, dates of birth, and approximate geographic locations derived from postcodes or ZIP codes. Purchase history details were also exposed, along with corporate email addresses belonging to Under Armour employees. TechCrunch verified a sample of the stolen data provided by the seller, which aligned with Have I Been Pwned’s findings regarding data types and volume.

Under Armour spokesperson Matt Dornic acknowledged the company was investigating the claims with external cybersecurity experts but emphasized no evidence indicated compromise of UA.com, payment processing systems, or password storage infrastructure. The company asserted that only a "very small percentage" of affected customers had information classified as sensitive, though it declined to define what constituted sensitive data or provide precise figures regarding the breach’s scope. Under Armour disputed characterizations that tens of millions of customers’ sensitive personal information was compromised, calling such implications "unfounded." The company did not confirm whether it would notify affected customers directly or disclose if it had received any communication from the threat actors, including ransom demands. No additional details were provided regarding the timeline of the investigation, specific systems accessed during the intrusion, or containment measures implemented following the November 2025 attack claim.