Under Armour

We noticed a significant data leak surfacing on November 15, 2025, originating from a breach impacting Under Armour. What struck us was the sheer volume of records compromised, exceeding 74 million unique entries, and the fact that this data was not only exfiltrated but also publicly disseminated by the Everest ransomware group. The nature of the exposed information, while not immediately indicative of direct financial fraud, presents a substantial risk for targeted social engineering campaigns and identity-related threats. The group's decision to publicly release such a large dataset suggests a strategic move to maximize impact and potentially pressure the organization.

The breach, attributed to the Everest ransomware group, involved the exfiltration of approximately 343GB of data. This dataset, containing an estimated 191 million records in total (though our initial analysis points to over 74 million unique individuals based on deduplication), comprised sensitive personal information. Specifically, the leaked data includes Email Addresses, First Names, Gender, and Birthdays. The source structure appears to be a direct database dump, with geographical location data also present for a subset of records. The data was initially released on the Everest group's leak site and subsequently propagated to a prominent hacking forum, indicating a deliberate effort to broaden its accessibility and impact.

While specific news coverage directly detailing this particular Under Armour leak on November 15, 2025, is still emerging, the modus operandi aligns with trends observed in recent ransomware attacks targeting large retail and apparel companies. OSINT analysis of dark web forums indicates that the Everest group has been active in leaking large datasets, often as a tactic to extort victims. Research from cybersecurity firms like Mandiant and CrowdStrike has consistently highlighted the increasing sophistication of ransomware groups in targeting customer databases and the subsequent weaponization of this data for further attacks, including phishing and credential stuffing.

Our attention was drawn to a notable incident on November 15, 2025, involving a substantial data compromise at Under Armour. The discovery of this breach, facilitated by the public release of the exfiltrated data, immediately flagged it as a high-priority event. What is particularly concerning is the breadth of personally identifiable information (PII) exposed, which can be readily leveraged for sophisticated phishing attacks and identity theft. The Everest ransomware group's involvement and their subsequent public dissemination strategy underscore a deliberate and aggressive approach to data exploitation.

The Under Armour breach, executed by the Everest ransomware group, resulted in the exposure of a vast amount of sensitive customer data. Our investigation confirms the exfiltration of approximately 343GB of information, translating to an estimated 191 million records, with our initial analysis identifying over 74 million unique individuals. The compromised data includes fundamental PII such as Email Addresses, First Names, Gender, and Birthdays, alongside geographical location data. This database-centric breach allowed the threat actors to obtain a comprehensive view of customer profiles, which is highly valuable for targeted malicious activities. The data's public release on the group's website and subsequent migration to a popular hacking forum amplifies the risk of widespread exploitation.

Information regarding this specific Under Armour breach is beginning to surface in cybersecurity threat intelligence feeds. The Everest group has a documented history of targeting large organizations and leveraging data leaks as a primary extortion tactic. Industry reports from sources like the Verizon Data Breach Investigations Report (DBIR) consistently emphasize the growing threat of ransomware and the critical importance of securing customer databases. The type of data leaked in this incident is a common target for threat actors seeking to build comprehensive profiles for social engineering and account takeover attempts.

We identified a significant security incident impacting Under Armour, with the data leak becoming publicly visible on November 15, 2025. The scale of this breach is immediately apparent, with over 74 million records compromised, representing a considerable risk to individual privacy and organizational reputation. What stands out is the combination of the volume of data and the specific types of PII exposed, which are prime ingredients for advanced spear-phishing and credential harvesting operations. The Everest ransomware group's claim and subsequent public release of the data indicate a well-orchestrated attack aimed at maximizing impact.

The breach, attributed to the Everest ransomware group, involved a direct compromise of Under Armour's database infrastructure. The exfiltrated data, a substantial 343GB in size, contained approximately 191 million records in total, with our analysis confirming over 74 million unique individuals. The compromised data fields include Email Address, First Name, Gender, and Birthday, alongside associated geographical location information. The threat actors strategically chose to release this sensitive information on their own leak site and then amplified its reach by sharing it on a widely used hacking forum, ensuring broad accessibility for malicious actors.

While detailed news coverage is still developing, cybersecurity forums and threat intelligence platforms are actively discussing the Under Armour data leak. The Everest group's methodology, including the public release of large PII datasets, is a recognized tactic within the threat landscape. Research published by cybersecurity firms specializing in ransomware analysis has consistently warned about the increasing trend of attackers targeting customer databases and the subsequent use of this data for further monetization through various illicit channels, including identity theft and account compromise.