Under Armour is investigating claims that data tied to tens of millions of customer accounts has leaked online, after a dataset containing roughly 72 million email addresses surfaced on a hacking forum and was subsequently added to the breach-notification service Have I Been Pwned. The company has acknowledged it is aware of claims that an unauthorized third party obtained certain data, but has not fully confirmed the attackers' claims and says its investigation with outside cybersecurity experts is ongoing.
What Happened
The claim centers on a dataset that first appeared on a hacking forum and was later ingested into Have I Been Pwned, the breach-notification service run by security researcher Troy Hunt. According to Have I Been Pwned, the incident involves approximately 72 million email addresses, with many records also containing names, dates of birth, genders, geographic locations, and purchase information.
Under Armour confirmed to TechCrunch that it was aware of claims that an unauthorized third party obtained certain data and that its investigation was ongoing. Crucially, the company stated it had no evidence at the time that UA.com, its payment-processing systems, or its password-storage systems were affected. The Associated Press reported that the breach is believed to have occurred in late 2025, aligning with the roughly 72 million affected email addresses cited by Have I Been Pwned.
What Was Taken
The reported dataset includes 72 million email addresses. Many of those records reportedly also include full names, dates of birth, gender, geographic information such as ZIP codes, and purchase history. Some reports referenced additional customer profile or transaction-related details, though Under Armour has pushed back on suggestions that highly sensitive information was compromised at a massive scale.
The distinction between what allegedly leaked and what remains unconfirmed is central to assessing the risk. Under Armour has stated there is no evidence that passwords or financial data were compromised. A leak of emails, names, birthdays, gender, geographic data, and purchase history is dangerous, but it is materially different from a confirmed exposure of passwords, credit card numbers, or bank details. As of this writing, the most sensitive categories have not been confirmed as exposed.
Why It Matters
Some observers dismiss email leaks on the grounds that email addresses are already widely shared. That is a mistake. An email address tied to a specific brand account is more valuable to criminals precisely because it confirms the person has, or had, an Under Armour account. That confirmation transforms a generic address into a targeting anchor.
Combined with names, dates of birth, gender, geographic data, and purchase history, this dataset provides everything an attacker needs to build convincing, personalized social-engineering campaigns. It can fuel phishing, scams, impersonation, credential-stuffing attempts, and targeted fraud. Purchase history in particular allows criminals to reference real orders, deliveries, and loyalty activity, dramatically raising the credibility of a fraudulent message. For enterprise defenders, incidents like this expand the raw material available for downstream attacks against both consumers and the brands being impersonated.
The Attack Technique
The precise intrusion method has not been publicly disclosed, and Under Armour's investigation remains ongoing. What is known is that the dataset surfaced on a hacking forum before being cataloged by Have I Been Pwned, a common distribution pattern in which stolen or scraped data is posted, sold, or leaked to build reputation within criminal communities.
Under Armour's early statements indicate the exposure did not stem from its UA.com storefront, payment-processing systems, or password-storage systems, which points investigators toward alternative sources such as an ancillary system, a third-party service, or a historical data store. Until the company completes its forensic review, the root cause, timeline, and full scope should be treated as unconfirmed. The late-2025 timeframe cited by the Associated Press suggests the data may have been held or circulated for a period before publicly surfacing.
What Organizations Should Do
- Treat any inbound message referencing an Under Armour account, order, refund, or loyalty program as potential phishing bait, and verify through official channels rather than links or phone numbers in the message.
- Enforce multi-factor authentication and monitor for credential-stuffing activity, since leaked email addresses are commonly replayed against unrelated services where customers reuse credentials.
- Proactively communicate with affected customers, advising them to remain alert to targeted phishing that may cite real names, birthdays, or purchase details to appear legitimate.
- Audit relationships with third-party vendors and ancillary systems that hold customer data, as breaches frequently originate outside the primary storefront and payment stack.
- Tune email security and brand-protection tooling to detect spoofed domains and lookalike sender addresses impersonating the brand and its delivery, payment, and support partners.
- Preserve logs and engage external forensic experts early to establish root cause, scope, and timeline before drawing public conclusions about what was and was not exposed.
Sources: Under Armour Probes Massive Leak Claim After 72 Million Customer Records Surface Online - AMOverview