Under Armour
Analysis of the Under Armour data breach with 72 million customer records allegedly leaked by the Everest ransomware group after a failed extortion attempt.
Published by the Scrutex.ai Research Team | January 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Under Armour
American sports apparel and accessories company headquartered in Baltimore, Maryland.
Sector
Retail / Consumer
Region
United States
Date of Incident
November 2025 (initial access by Everest group)
Date Disclosed
January 18, 2026 (data published); January 22, 2026 (company statement)
Estimated Impact
72 million email addresses; 191 million total records
Data Types Exposed
Names, email addresses, dates of birth, genders, geographic locations, purchase history, loyalty programme details
Attack Type
Ransomware
Attack Vector
Ransomware deployment and claimed data exfiltration
Threat Actor
Everest ransomware group
Current Status
Under investigation. Multiple class-action lawsuits filed. No credit monitoring announced as of February 2026.
Severity Assessment
High. 72 million unique email addresses and 191 million total records exposed, marking Under Armour's second major breach after the 2018 MyFitnessPal incident.
What Happened
In November 2025, the Everest ransomware group listed Under Armour as a victim, claiming to have stolen 343GB of company data. After the company reportedly failed to respond by the ransom deadline, the data was published on January 18, 2026.
On January 21, Have I Been Pwned obtained a copy and began alerting 72 million affected email addresses. The leaked dataset reportedly contains names, email addresses, genders, dates of birth, locations, and purchase information.
Under Armour has stated it has no evidence that UA.com or payment systems were compromised. Multiple class-action lawsuits have been filed. This is Under Armour's second major breach after the 2018 MyFitnessPal incident affecting 150 million accounts.
Timeline
November 2025
Everest ransomware group claims to have gained access to Under Armour systems
November 2025
Ransom demand reportedly issued to Under Armour
January 18, 2026
Data published by Everest group (claimed 343GB) after ransom deadline passes
January 21, 2026
Have I Been Pwned lists 72 million affected email addresses
January 22, 2026
Under Armour issues public statement acknowledging breach claims
Early 2026
Multiple class-action lawsuits filed against Under Armour
Threat Actor Profile
Everest is a Russian-speaking ransomware group that emerged in December 2020. The group operates a hybrid model combining ransomware deployment with initial access brokerage (IAB), selling network access to other threat actors.
Everest has been ranked as a 'high threat' group by multiple cybersecurity firms and has targeted organisations across retail, healthcare, and government sectors.
Impact and Risk Assessment
For Affected Individuals
72 million unique email addresses were exposed alongside personal details including dates of birth, genders, and geographic locations.
Purchase history and loyalty programme data can be used for targeted phishing campaigns impersonating Under Armour or its partners.
Individuals who reused passwords across services face credential-stuffing risk if any associated credentials were included in the broader dataset.
For Organisations
Under Armour faces multiple class-action lawsuits and reputational damage compounded by this being their second major breach.
Partner organisations and retailers in Under Armour's ecosystem may face increased phishing targeting their shared customer base.
Regulatory Context
Multiple US states have data breach notification requirements that apply to the exposed data categories. Class-action lawsuits may test the adequacy of Under Armour's security measures.
The recurrence of a major breach raises questions about whether remediation efforts following the 2018 MyFitnessPal incident were sufficient.
What Should You Do?
If You Are a Potentially Affected Individual
Check Have I Been Pwned to determine if your email address was included in this breach.
Change your Under Armour account password and any other accounts where you may have reused the same credentials.
Be wary of phishing emails impersonating Under Armour, particularly those referencing purchases or loyalty rewards.
If You Are a Security or Risk Professional
Review whether your organisation shares customer data with Under Armour or its platforms and assess downstream exposure.
Use this incident as a case study for board-level discussions on the reputational cost of repeat breaches and the importance of sustained security investment.
Learnings and Recommendations
Customer databases are high-value targets regardless of whether they contain payment data. The combination of names, emails, purchase history, and demographics has significant value for social engineering operations.
This is Under Armour's second major data breach, raising questions about whether the organisation meaningfully invested in its security posture between the two events.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.