Under Armour Breach: 72.7M Accounts Exposed

Overview

In November 2025, the Everest ransomware group listed Under Armour as a victim on their dark web leak site, claiming to have stolen 343GB of data. After an extortion attempt failed, the group published the stolen customer data on a popular hacking forum in January 2026. The exposed records include 72,742,892 email addresses, names, dates of birth, genders, and geographic locations. The data has since been indexed by Have I Been Pwned, allowing affected users to verify their exposure.

What Was Exposed

The breach exposed a broad set of personally identifiable information (PII) for over 72 million Under Armour customers:

• Email addresses – the primary vector for phishing and credential-stuffing attacks
• Full names – enable targeted social engineering
• Dates of birth – frequently used in security questions and identity verification
• Genders and geographic locations – usable for tailored fraud or account recovery attacks

While no financial data, passwords, or credit card numbers were confirmed in the dump, the combination of name, email, and DOB dramatically increases the risk of identity theft and account takeover on other services where users might reuse credentials.

How the Breach Happened

The Everest ransomware group, a known extortion operation, claimed responsibility for the attack. Based on their typical modus operandi, they likely gained initial access through phishing, stolen credentials, or an unpatched vulnerability in Under Armour’s internal systems. The group exfiltrated 343GB of data before deploying ransomware, then double-extorted Under Armour by threatening to publish the stolen data unless a ransom was paid. When payment did not materialize, they released the customer database on a public forum, ensuring maximum damage.

Account Takeover Risks

Because email addresses were exposed, affected users face immediate risks from credential-stuffing attacks - where attackers try email/password combinations stolen from other breaches on Under Armour accounts. Even if Under Armour wasn’t directly compromised for passwords, the leaked emails are valuable for phishing campaigns that trick users into revealing their passwords.

Attackers can craft messages that reference specific names, birth dates, or locations to appear legitimate. They may also attempt account recovery on other platforms where the same DOB is used as a security question.

What to Do Right Now

1. Check your email on Have I Been Pwned to confirm exposure.
2. Change your Under Armour password immediately, even if no password was in the dump. Use a unique, complex password.
3. Enable multi-factor authentication (MFA) on your Under Armour account and any other account that shares the same email.
4. Be alert for phishing emails claiming to be from Under Armour, especially those referencing your name, location, or DOB. Do not click links or download attachments.
5. Review your account activity on Under Armour for unauthorized logins or changes to profile details.
6. Freeze your credit if you believe your DOB or location data could be used for identity theft - though the risk is lower without SSN or financial data.

How to Check If You’re Affected

The exposed data has been added to the Have I Been Pwned database. Simply enter the email address you used for your Under Armour account to see if it appears in the breach. The service is free, secure, and does not store your email.

Security Insight

This breach demonstrates that even companies without a history of major security incidents - Under Armour was previously known for a 2018 credential-stuffing incident affecting its MyFitnessPal subsidiary - remain vulnerable to sophisticated ransomware groups. The Everest group’s decision to publish the full dataset after a failed extortion attempt highlights a critical lesson: ransomware prevention alone is insufficient. Organizations must prioritize data exfiltration detection and have incident response plans that assume customer data will be released, not just encrypted. For consumers, this breach is another reminder that email addresses and personal details are now tradeable commodities on dark web forums, and that any online account represents a potential attack surface.

Further Reading

• All Critical Breaches
• Recent Data Breaches