Under Armour is investigating claims that data tied to tens of millions of customer accounts leaked online, raising fresh concern about how much personal information shoppers leave behind when they buy clothing, shoes, fitness gear, or connected services from major brands.
The claim centers on a dataset that appeared on a hacking forum and was later added to Have I Been Pwned, the breach-notification service run by security researcher Troy Hunt. Have I Been Pwned says the incident involved about 72 million email addresses, with many records also containing names, dates of birth, genders, geographic locations, and purchase information.
Under Armour has not fully confirmed the attackers’ claims. The company told TechCrunch that it was aware of claims that an unauthorized third party obtained certain data and that its investigation was ongoing with outside cybersecurity experts. The company also said it had no evidence at the time that UA.com, payment-processing systems, or password-storage systems were affected.
That distinction matters. The leak claim is serious, but the most sensitive categories, such as passwords and payment card data, have not been confirmed as exposed by Under Armour.
What Allegedly Leaked
The reported dataset includes 72 million email addresses. Many records reportedly also include names, dates of birth, gender, geographic information, and purchase history. Some reports also mentioned customer profile or transaction-related details, though Under Armour has pushed back on suggestions that highly sensitive information was compromised at a massive scale.
The Associated Press reported that the breach is believed to have happened in late 2025 and affected about 72 million email addresses, along with other personal details cited by Have I Been Pwned. AP also noted that Under Armour said there was no evidence that passwords or financial data were compromised.
This is an important difference for customers. A leak of emails, names, birthdays, gender, ZIP codes, and purchase history is still dangerous. It can fuel phishing, scams, impersonation, credential-stuffing attempts, and targeted fraud. But it is different from a confirmed leak of passwords, credit card numbers, or bank details.
Why Email Addresses Alone Still Matter
Some people dismiss email leaks because email addresses are already widely shared. That is a mistake. An email address tied to a specific brand account becomes more useful to criminals because it confirms that a person has or had an Under Armour account.
A scammer can use that information to send convincing phishing emails pretending to be Under Armour, a delivery company, a refund department, a loyalty program, a payment processor, or a customer-service agent. If the message includes a real name or purchase-related clue, it can look more believable.
For example, a fake email might say there was a problem with a recent Under Armour order or that a customer needs to verify account details after the “security incident.” That kind of message is exactly how criminals turn leaked data into new attacks.
Purchase History Makes Phishing More Personal
Purchase history is particularly useful to attackers because it helps them personalize scams. If criminals know someone bought running shoes, gym clothing, sports gear, or a specific product category, they can create more targeted messages.
A scam email that says “Your account was affected” is generic. A scam email that references athletic apparel, loyalty rewards, returns, shipping, or workout gear feels more realistic. That is why even non-financial data can increase risk.
E-commerce data can also reveal lifestyle patterns. Purchases may suggest gender, age range, body size, sports interests, children’s activities, school teams, gym habits, or location. That information may not be as sensitive as a Social Security number, but it still helps build a profile.
The Ransomware Claim Behind the Leak
Have I Been Pwned says the Everest ransomware group claimed Under Armour as a victim in November 2025 and alleged that it had obtained 343GB of data. In January 2026, customer data from the incident was published publicly on a hacking forum.
Ransomware groups often steal data before demanding payment. If the target refuses to pay, attackers may publish or sell data to increase pressure. The goal is not only encryption anymore. Modern extortion often depends on threatening reputation, lawsuits, customer trust, and regulatory trouble.
Under Armour has not confirmed the attackers’ version of events in full. That is why careful wording is necessary. The company is investigating claims, while independent breach-tracking sources have reported that a large dataset associated with Under Armour appeared online.
Why Under Armour’s Statement Matters
Under Armour’s statement is important because it narrows what the company says it has evidence for. The company said it is aware of claims that an unauthorized third party obtained certain data. It also said there was no evidence at that time that UA.com, systems used to process payments, or systems used to store customer passwords were affected.
That does not make the incident harmless. It means customers should avoid assuming the worst before the investigation is complete. Payment cards and passwords require different emergency steps than exposed emails and profile data.
Still, customers do not need to wait for every final detail before protecting themselves. Changing reused passwords, watching for phishing, and checking breach alerts are reasonable precautions.
Why This Is Not Under Armour’s First Big Data Incident
Under Armour has faced a major breach before. In 2018, the company disclosed that its MyFitnessPal app had been breached, affecting about 150 million accounts. That incident involved usernames, email addresses, and hashed passwords.
Time reported on the MyFitnessPal breach in 2018, noting that Under Armour notified users and urged them to change passwords. The earlier case became one of the largest consumer-app breaches of that period.
The new 72-million-account claim appears separate from the MyFitnessPal breach, but the history matters because it shows how sports, fitness, shopping, and health-adjacent platforms collect large user databases that can become attractive targets.
Why Retail Accounts Are Valuable to Criminals
Retail accounts may seem less sensitive than banking or healthcare accounts, but criminals value them. A retail account can contain addresses, phone numbers, saved payment tokens, order history, loyalty points, gift cards, return records, and customer-service interactions.
Even when payment card numbers are not exposed, attackers may try credential stuffing. That means they take leaked email-password combinations from other breaches and test them on Under Armour or related retail accounts. If customers reused passwords, criminals may get in.
This is why unique passwords matter. One breach should never unlock another account. A password manager makes that easier by creating and storing different passwords for every site.
Why 72 Million Records Is a Big Number
A dataset of 72 million email addresses is huge. It is larger than the population of many countries and includes enough people to make automated phishing campaigns profitable. Even if many email addresses were already exposed in earlier breaches, combining them with Under Armour-specific details creates new risk.
Have I Been Pwned reportedly found that many of the email addresses had appeared in previous breaches. That does not make the leak unimportant. Repeated exposure increases the chances that criminals can connect data from multiple incidents to build fuller profiles.
A name from one leak, a birthday from another, a shopping account from another, and an old password from a fourth breach can become a more dangerous identity puzzle.
What Customers Should Do First
Under Armour customers should check whether their email appears in the incident through Have I Been Pwned. If the email appears, they should assume scammers may target them with Under Armour-themed messages.
Customers should change their Under Armour password if they reuse it anywhere else, even though passwords have not been confirmed as exposed in this incident. More importantly, they should change the password on any other account where the same password was used.
They should also enable multifactor authentication where available, especially on email accounts. Protecting the email account is critical because email is often the recovery key for shopping, banking, social media, and work accounts.
Why Reused Passwords Are the Real Danger
If passwords were not exposed, the immediate login risk may be lower. But reused passwords can still create danger because criminals can combine this leak with older password leaks from other websites.
For example, if someone used the same email and password on another breached site years ago, attackers may try that password on Under Armour, Amazon, PayPal, Gmail, or other accounts. This attack does not require Under Armour passwords to leak. It relies on people reusing passwords across services.
The Federal Trade Commission advises consumers to protect accounts with strong, unique passwords and to watch for phishing attempts that use urgency, fake links, or requests for sensitive information.
Watch for Fake Under Armour Emails
Scammers often exploit breach news quickly. Customers may receive fake messages claiming to offer refunds, identity protection, account verification, loyalty points, password resets, or settlement payments.
A safe rule is to avoid clicking links in unexpected emails or text messages. Instead, type the official Under Armour website address directly into the browser or use the official app. If a message says your account needs action, check through the official account page rather than through the email link.
Customers should be especially cautious of messages that demand immediate action, ask for payment details, request a password, or include attachments. Legitimate companies do not need your password by email.
Why Birthdates and ZIP Codes Can Be Abused
Birthdates and ZIP codes may not seem highly sensitive, but they are often used in identity verification. Customer-service agents, websites, insurance portals, and medical systems may ask for date of birth or ZIP code to confirm identity.
If criminals know those details, they may be better able to pass weak verification checks. They may also use them to personalize scams, guess security questions, or target people by age and region.
This is why people should avoid using public or easily guessed details as security answers. If a website asks for a security question, consider using a random password-manager-generated answer instead of a real childhood street, school, pet, or birth-related detail.
What Businesses Can Learn
The Under Armour claims also carry a lesson for companies. E-commerce data is sensitive even when it does not include credit card numbers. Names, emails, birthdates, locations, and purchase histories can harm customers when exposed.
Companies should limit the data they collect, reduce how long they retain it, segment systems, encrypt sensitive fields, monitor for ransomware activity, and prepare clear breach-response plans. They should also communicate quickly and precisely when claims emerge.
Silence can create confusion. Overstatement can create panic. The best communication is direct: what happened, what data may be involved, what data was not affected, what the company is doing, and what customers should do.
Why Customers Should Monitor Accounts
Customers should monitor Under Armour accounts for unauthorized orders, changed shipping addresses, strange loyalty activity, or password-reset emails they did not request. They should also monitor credit cards and bank accounts, even though payment systems have not been confirmed as affected.
If suspicious charges appear, customers should contact their bank or card issuer immediately. If account changes appear, they should secure the account and contact Under Armour support through official channels.
People who receive targeted phishing should report the message to their email provider and avoid replying. Replying can confirm that the email address is active.
Why Data Breach Fatigue Is Dangerous
Many people feel exhausted by breach news. With so many incidents, it is easy to ignore another alert. But breach fatigue helps criminals. They count on people doing nothing.
The right response does not have to be complicated. Use a password manager. Turn on multifactor authentication. Do not reuse passwords. Check Have I Been Pwned. Be skeptical of urgent emails. Watch accounts for suspicious activity.
These habits protect users across many breaches, not just one.
Why This Could Lead to Legal and Regulatory Pressure
Large data incidents often lead to lawsuits, regulatory questions, and demands for stronger cybersecurity. Class action lawsuits have already been discussed in connection with claims involving Under Armour and the alleged late-2025 breach.
Regulators may ask whether customer data was protected properly, whether notification obligations were triggered, and whether the company’s security practices matched the sensitivity and scale of the data it stored.
For customers, legal outcomes may take months or years. Immediate account protection matters more than waiting for a settlement or official conclusion.
What Under Armour Still Needs to Clarify
Customers still need clear answers. Did the data come directly from Under Armour systems, a vendor, an old database, a partner, or another source? Exactly which fields were exposed? Were passwords, payment tokens, addresses, phone numbers, or loyalty data involved? How many customers were affected? When did the company learn of the issue? Will it notify affected users directly?
Those questions matter because the protective steps depend on the data. A confirmed email-only exposure is different from a leak involving full addresses, phone numbers, passwords, or payment details.
Until those answers are public, customers should take moderate but meaningful precautions.
Final Takeaway
Under Armour is investigating claims that data tied to about 72 million customer accounts leaked online after a dataset appeared on a hacking forum and was added to Have I Been Pwned. The reported data includes email addresses and, in many records, names, dates of birth, genders, geographic locations, and purchase information.
Under Armour says it has no evidence at this time that UA.com, payment-processing systems, or password-storage systems were affected. That means the incident should not be treated as a confirmed payment-card or password breach unless new evidence emerges. But the exposed data is still useful to criminals for phishing, impersonation, credential stuffing, and targeted scams.
Customers should check their email on Have I Been Pwned, change any reused passwords, enable multifactor authentication, monitor accounts, and be cautious of fake Under Armour emails offering refunds, password resets, or breach support. Even when financial data is not exposed, a large customer-data leak can still create real risk.