Under Armour Data Breach: Everest Ransomware Group Leaks 72 Million Customer Records
The Everest ransomware group posts a database of 191 million records containing 72 million unique email addresses stolen from Under Armour, exposing names, dates of birth, purchase histories, and contact details.
The Everest ransomware group posted a database of 191,577,365 records to a hacking forum on January 18, 2026, claiming the data was stolen from Under Armour. The dataset contains 72,727,245 unique email addresses alongside personal information, making it one of the largest consumer data dumps of 2026.
What Was Exposed
The exposed data includes names, dates of birth, genders, geographic locations, purchase history, phone numbers, and employee contact details. Under Armour stated it found "no evidence" that the breach affected payment processing on UA.com or compromised account passwords. The breach is believed to have originated in November 2025, meaning the attackers had approximately two months of access before the data appeared publicly. The 72 million unique email addresses have been indexed by Have I Been Pwned.
Extortion Tactics
Everest's public posting of the data illustrates a shift in ransomware group tactics that has intensified in 2025-2026: when ransom demands go unpaid, groups publish stolen data on underground forums rather than deleting it. This serves dual purposes — it punishes non-paying victims visibly, reinforcing consequences for future targets, and allows the data to be monetized through resale or exploitation by other threat actors.
The combination of purchase history, date of birth, phone numbers, and email addresses creates a dataset highly valuable for targeted phishing campaigns. Unlike breaches exposing only email addresses, the richness of this dataset gives attackers enough context to craft convincing pretexts — referencing specific purchases, for example — substantially increasing the probability of victim engagement with malicious messages.
Legal Consequences
Multiple class-action lawsuits have been filed in federal courts in Maryland and Texas. The lawsuits allege inadequate data security practices and seek damages for affected consumers. Maryland is Under Armour's headquarters jurisdiction. The legal theories center on negligence in data protection and failure to implement reasonable security measures for personal consumer information.
Recommendations
Individuals with Under Armour accounts should check their email on Have I Been Pwned, enable multi-factor authentication, and be alert to phishing attempts referencing Under Armour purchases or account details. While passwords were not exposed, attackers with email and purchase history can craft highly targeted social engineering attacks that do not require credential theft.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.