Nike Faces Alleged Cyberattack by WorldLeaks Ransomware Group
Global sportswear giant Nike is reportedly the latest victim of a cyberattack orchestrated by the WorldLeaks ransomware group. On January 22, 2026, WorldLeaks announced on its darknet leak site that it had breached Nike’s systems and threatened to release the stolen data on January 25, 2026, at 6 PM GMT.
The announcement, which garnered over 400 views within hours, provided minimal details about the breach. However, it has raised significant concerns about the potential exposure of sensitive information. Nike has acknowledged the situation, stating, We are investigating a potential cybersecurity incident and are actively assessing the situation.
Scope of the Breach
While the exact volume of exfiltrated data remains unconfirmed, industry analysts suggest it could potentially reach several terabytes, based on WorldLeaks’ historical attack patterns. Preliminary reports indicate that approximately 481,183 user accounts, 220 employee records, and 444 third-party employee credentials may have been compromised.
The types of data potentially exposed include:
– Internal company documentation
– Customer information
– Employee email addresses and phone numbers
– Business operational records
– Human resources data
The specific nature and scope of sensitive information, such as intellectual property, product development details, or financial records, remain undisclosed pending Nike’s ongoing investigation.
About WorldLeaks
WorldLeaks emerged in January 2025 as a rebrand of the defunct Hunters International group. Operating on an extortion-only model, WorldLeaks focuses exclusively on data theft without engaging in file encryption, allowing for faster attack execution and reduced detection risk.
The group maintains a sophisticated infrastructure comprising:
– A public leak site for showcasing victims
– A negotiation portal for ransom communications
– An Insider journalist platform providing advance data access
– An affiliate management system
Since its formation, WorldLeaks has claimed over 116 victims, including high-profile targets such as Dell Technologies and L3Harris Technologies, a U.S. defense contractor.
Modus Operandi
WorldLeaks typically gains initial access through:
– Compromised legitimate websites
– Phishing campaigns with malicious attachments
– Unpatched internet-exposed applications
– VPNs lacking multi-factor authentication
Once inside the network, the group employs credential theft, lateral movement through network shares, and custom-developed exfiltration tools to catalog and extract sensitive data.
Industry Context
This incident is part of a broader trend of coordinated cyberattacks targeting the retail and athletic apparel sectors. For instance, in November 2025, Under Armour experienced a significant data breach affecting approximately 72 million customers. The breach exposed email addresses, names, genders, birthdates, and ZIP codes. Similarly, Adidas confirmed a third-party breach in May 2025, leading to the compromise of customer data.
Recommendations for Organizations
In light of these incidents, organizations are advised to:
– Implement mandatory multi-factor authentication on all remote access points
– Conduct immediate network segmentation reviews
– Establish enhanced monitoring for unauthorized data exfiltration to external cloud services and anonymized networks
These measures can help mitigate the risk of similar cyberattacks and protect sensitive information.
