Everest Ransomware Group Claims Massive Data Breach at Under Armour
The Everest ransomware group, notorious for its cyberattacks, has reportedly infiltrated Under Armour’s systems, claiming to have exfiltrated 343 gigabytes of sensitive data. This breach, announced on November 16, 2025, could potentially affect millions of customers and employees globally.
Details of the Alleged Breach
According to Everest’s statement on their dark web leak site, the stolen data includes:
– Customer Information: Millions of records containing transaction histories, user IDs, email addresses, physical addresses, phone numbers, passport details, gender information, and both work and personal email contacts.
– Employee Data: Personal information of employees from various countries.
– Internal Documents: Confidential company documents.
– Marketing and Analytics Data: Customer shopping histories, product catalogs with SKUs, prices, availability, marketing logs, and user behavior analytics.
The sample data provided by Everest suggests that the breach may have targeted Under Armour’s customer relationship management, personalization, or e-commerce databases, possibly originating from marketing or product registration systems.
Everest’s Modus Operandi
Active since 2021, Everest has a history of high-profile cyberattacks, including:
– AT&T: Compromised the carrier’s database, exposing over 500,000 users.
– Dublin Airport: Exfiltrated 1.5 million passenger records.
– Coca-Cola: Accessed internal files.
In this instance, Everest has issued a seven-day ultimatum to Under Armour via Tox messenger, demanding contact before the countdown timer expires and threatening to leak the data if their demands are not met. While no ransom amount has been specified, Everest typically escalates data leaks for non-compliant victims.
Under Armour’s Response
As of November 18, 2025, Under Armour has not publicly confirmed or denied the breach. The Baltimore-based company operates in over 190 countries and owns brands like MyFitnessPal, which experienced a significant data breach in 2018 affecting 150 million users. That incident exposed usernames, emails, and hashed passwords but did not compromise financial data. The current alleged breach appears more extensive, potentially including passports and transaction logs that could facilitate targeted fraud.
Implications and Recommendations
Cybersecurity experts warn that such data exposures increase the risk of supply chain attacks and social engineering. Ransomware groups like Everest are shifting focus to data exfiltration over encryption, turning breaches into intelligence goldmines.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has not yet listed this incident in its Known Exploited Vulnerabilities catalog. However, similar events have prompted federal alerts in the past.
Recommendations for Customers:
– Monitor Accounts: Regularly check for unusual activity.
– Change Passwords: Update passwords on Under Armour-linked services.
– Enable Multi-Factor Authentication: Add an extra layer of security to accounts.
– Be Vigilant Against Phishing: Be cautious of emails or messages that may attempt to exploit the situation.
Recommendations for Enterprises:
– Scan for Indicators of Compromise: Look for signs of malware such as Qakbot or Cobalt Strike beacons, which Everest often uses.
– Enhance Security Measures: Implement robust cybersecurity protocols to prevent unauthorized access.
Under Armour has been contacted for comment; until verified, these remain allegations. However, the detailed sample provided lends credibility to Everest’s claims.
