Under Armour probes exposure of roughly 72 million customer email addresses

Under Armour is investigating an apparent exposure of roughly 72 million customer email addresses after a dataset tied to the company was published on a hacker forum and subsequently verified by independent researchers and breach-notification specialists.

The company said it is “aware of claims that an unauthorized third party obtained certain data,” and that its investigation is ongoing with the assistance of external cybersecurity experts, according to a statement from company spokesperson Matt Dornic. Under Armour also said it has “no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords,” and characterized assertions that sensitive personal information of tens of millions of customers had been compromised as “unfounded.”

Researchers who reviewed the posted files say the dataset appears to include roughly 72 million email addresses along with some records that contain more detailed personal information, including full names, gender, dates of birth and ZIP- or postcode-derived locations. The material reviewed by analysts also appears to include customer purchase details and purchase histories, and a notable number of email addresses tied to Under Armour employees.

The breach-notification service Have I Been Pwned said it obtained a copy of the dataset and notified 72 million individuals by email after verification. Multiple security researchers and sources point to a cyber incident believed to have occurred late in 2025 as the likely origin of the exposure. A seller of the files said the data were taken in a November 2025 incident, and security reporting indicates the Everest ransomware group claimed in November 2025 to have extorted Under Armour after alleging it had accessed hundreds of gigabytes of company data.

Security experts warn that even when immediate signs of financial theft or password exposure are absent, the downstream risks can be significant. Verified lists tied to a recognizable brand can enable highly convincing phishing and social-engineering campaigns that exploit real order details, transaction identifiers and purchase behavior. Those hazards can take weeks or months to surface as attackers convert raw datasets into tailored attacks.

Under Armour emphasized that, based on the information it has reviewed so far, there is no indication this specific 72-million-record release included customer passwords or payment-card information. That distinction recalls a separate, well-documented incident involving the company’s MyFitnessPal app in 2018, when roughly 150 million accounts were impacted and the compromised data included usernames, email addresses and hashed passwords. At the time, Under Armour said payment card data and government-issued identifiers were not affected.

Investigators are continuing to piece together the scope and provenance of the newly published dataset. Key questions remain about whether additional volumes of data exist, whether internal systems used for e-commerce or payment processing were accessed, and whether the extortion claim by the ransomware group corresponds to the published customer files. Under Armour has not publicly confirmed the full contents or provenance of the published dataset beyond its statement that the matter is under investigation.

For now, affected customers have received notifications from Have I Been Pwned, and consumers and employees tied to the exposed email addresses should exercise heightened caution for phishing attempts and monitor accounts for unusual activity while the company completes its forensic review.