72M Accounts Allegedly Exposed in Under Armour Data Breach

Under Armour is investigating claims that a dataset tied to roughly 72 million customer records was posted online after an extortion attempt linked to the Everest ransomware group, raising risks of targeted phishing and account takeover attempts even as the company says it has found no evidence that passwords or payment systems were affected.

What Happened in the Breach

A threat actor posted what they described as Under Armour customer data to a hacking forum, and the breach gained wider attention after Have I Been Pwned obtained a copy of the dataset and began notifying impacted people.

Under Armour told media outlets it was aware of the claims and was investigating, while disputing implications that highly sensitive information for tens of millions of customers had been compromised.

Timeline: From First Access To Latest Update

Public reporting points to an extortion and leak sequence that started with a ransomware group claim in November 2025 and then moved to public distribution of a customer dataset in January 2026, while key technical details about initial access and detection remain undisclosed.

1. November 2025: Have I Been Pwned reported that Everest claimed Under Armour as a victim and attempted to extort a ransom, alleging access to 343GB of data.
2. January 18, 2026: The Register reported the customer dataset was posted by a member of the Everest group to a cybercrime forum on January 18, 2026.
3. January 21, 2026: Have I Been Pwned listed the incident and described the data types contained in the dataset, placing the scale at 72.7 million accounts.
4. January 22, 2026: Under Armour confirmed it was investigating and said it had no evidence that UA.com or systems used to process payments or store customer passwords were affected.
5. February 9, 2026: As of February 9, 2026, public reporting reviewed here did not show a detailed Under Armour disclosure that confirmed the full scope, the intrusion method, or a finalized notification and remediation program.

What Data Or Systems Were Affected

Have I Been Pwned said the dataset contained names, email addresses, genders, dates of birth, geographic locations, and purchase information.

AP reported that some of the stolen records included names, genders, birthdates, and ZIP codes, and it cited Under Armour’s statement that it had no evidence the incident affected password storage or payment processing systems.

The reported scale varies slightly across sources, with AP describing 72 million email addresses and Have I Been Pwned listing 72.7 million accounts, which can reflect rounding or differences in how duplicates and unique records are counted.

Who Was Responsible (Confirmed Vs Alleged)

No regulator or law enforcement agency has publicly attributed the incident, and Under Armour has not named a culprit, so responsibility remains unconfirmed.

Have I Been Pwned tied the incident to claims from the Everest ransomware group and described an extortion attempt followed by publication of customer data on a hacking forum.

Everest also claimed additional data types beyond what Have I Been Pwned listed, including phone numbers, physical addresses, loyalty program details, and preferred stores, and those claims remain allegations in the absence of confirmation from Under Armour or an independent primary source.

How The Attack Worked

The available record fits a common extortion pattern where criminals claim access, set a deadline for payment, and publish data after negotiations fail or stall.

Under Armour has not published technical findings on initial access, lateral movement, or exfiltration paths, so the intrusion method remains unknown in public reporting.

Impact and Risks for Customers

The most direct customer risk comes from exposure of email addresses and profile attributes that can support tailored phishing, credential stuffing attempts, and impersonation scams that reference purchases or location details.

Under Armour said it has no evidence that passwords or financial information were taken, which lowers immediate fraud risk compared with breaches that include payment cards or password hashes, but it does not eliminate social engineering and account takeover attempts against other services that reuse the same email address.

Company Response And Customer Remediation

Under Armour said it was investigating and stated that it had no evidence the issue affected UA.com or systems used to process payments or store customer passwords.

TechCrunch reported that Have I Been Pwned notified impacted people by email after obtaining the dataset, and it said the sample data it reviewed aligned with the data types Have I Been Pwned described.

Public reporting reviewed here did not show Under Armour announcing credit monitoring, refunds, or other compensation tied to this incident as of February 9, 2026.

Government, Law Enforcement, And Regulator Actions

AP did not report any public regulator notice or law enforcement announcement tied to the case, and Under Armour’s quoted statement focused on its investigation and its assessment of which systems were not affected.

Civil litigation activity has been reported, including proposed class actions tied to the November 2025 incident, which can increase pressure for additional disclosures even when no regulator action is publicly visible.

Financial, Legal, And Business Impact

The Register reported that the law firm Chimicles Schwartz Kriner and Donaldson-Smith filed a proposed class action on behalf of an Under Armour customer, and it connected that filing to Everest’s earlier leak site posting.

ClassAction.org reported a separate proposed class action titled Malone v. Under Armour, Inc., filed November 24, 2025, alleging that the incident involved theft of hundreds of gigabytes of sensitive data and that notification was not timely.

Under Armour has not publicly quantified costs tied to incident response, legal exposure, or business disruption in the reporting reviewed here.

What Remains Unclear About the Breach

The intrusion start date, the detection date, and the initial access path have not been publicly detailed, which prevents a confirmed dwell time calculation and leaves uncertainty about how far access extended inside the environment.

The complete data inventory remains unresolved, including whether the dataset contains phone numbers, physical addresses, or loyalty program fields that Everest claimed, and whether any employee data was included at scale.

Why This Incident Matters

This incident shows how large consumer datasets can circulate widely even when a company disputes that passwords or payment systems were affected, because email based identity and purchase context still support high success social engineering.

It also underscores that extortion pressure does not require widespread encryption to create impact, since publication of customer data can trigger notification cascades, litigation, and long tail fraud attempts.

How Bright Defense Can Help Limit Data Leak And Extortion Exposure

Bright Defense can reduce the chance that attackers reach large customer datasets through focused penetration tests that cover identity entry points, exposed admin surfaces, third party access paths, and data egress controls around high value repositories. Continuous compliance support can keep access reviews, logging coverage, and incident response evidence current across fast changing systems, which helps teams spot control drift early and respond with clearer facts when an extortion claim appears. This combination also supports tighter segmentation around customer records, stronger monitoring for unusual exports, and faster validation of what was accessed and what was not.

Sources

1. Associated Press – Under Armour Looking Into Data Breach Affecting Customers’ Email Addresses (January 22, 2026)
   https://apnews.com/article/under-armour-data-breach-passwords-6155a46363679c28af4d612ad3f23e36
2. TechCrunch – Under Armour Says It’s ‘Aware’ of Data Breach Claims After 72M Customer Records Were Posted Online (January 22, 2026)
   https://techcrunch.com/2026/01/22/under-armour-says-its-aware-of-data-breach-claims-after-72m-customer-records-were-posted-online/
3. Have I Been Pwned – Under Armour Data Breach (January 21, 2026)
   https://haveibeenpwned.com/Breach/UnderArmour
4. The Register – 72.7M Under Armour Accounts Hit in Alleged Ransomware Leak (January 21, 2026)
   https://www.theregister.com/2026/01/21/under_armour_everest/
5. Malwarebytes – Under Armour Ransomware Breach: Data of 72 Million Customers Appears on the Dark Web (January 22, 2026)
   https://www.malwarebytes.com/blog/news/2026/01/under-armour-ransomware-breach-data-of-72-million-customers-appears-on-the-dark-web
6. TechRadar – Under Armour Cyberattack May Put Over 72 Million at Risk but It’s Staying Quiet (January 2026)
   https://www.techradar.com/pro/security/under-armour-cyberattack-may-put-over-7-million-at-risk-but-its-staying-quiet
7. ClassAction.org – Under Armour Data Breach Lawsuit Claims Co. Failed to Protect Sensitive Info from November 2025 Incident (December 18, 2025)
   https://www.classaction.org/news/under-armour-failed-to-protect-sensitive-info-from-november-2025-data-breach-class-action-lawsuit-says
8. WIRED – The Under Armour Hack Was Even Worse Than It Had To Be (March 2018)
   https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/