On January 18, 2026, the Everest ransomware group made good on their threat and released Under Armour customer data to BreachForums. Two months earlier, Everest had added Under Armour to their leak site with a seven-day deadline. The company didn't pay. Now 72.7 million email addresses are sitting in Have I Been Pwned, and Under Armour still hasn't publicly acknowledged the incident.
We analyzed the leaked data and the forum discussion around it. Here's what we found.
The Initial Announcement
The forum post from user "thelastwhitehat" claimed 343 GB of sensitive data including "full names, email addresses, geographic locations, genders, purchase histories and preferences, employee contact details, and more." Everest's original claims were even broader, including phone numbers, physical addresses, loyalty program details, and preferred stores.
That's a significant amount of PII if accurate. But forum users who actually downloaded and analyzed the data found something different.
What's Actually In The Leak
Within 24 hours of the data hitting the forums, users started reporting discrepancies. User "ThinkingOne" noted: "there do not appear to be any phone numbers in here. There is a phone number header in some of the files, but no actual phone numbers. Also, few/no last names, no addresses."
That's a meaningful distinction. Headers exist for sensitive fields, but the data isn't there. What Everest claimed and what they actually exfiltrated are two different things.
The File Structure
The leaked archive contains 29 CSV files totaling 191,577,361 records. The largest files are mobile push notification exports (69M and 71M records respectively), followed by Bluecore marketing exports and loyalty customer data.
The file naming convention tells the story. These are marketing system exports, not production database dumps:
- Bluecore exports - Email marketing platform data
- MobilePush_TotalGenderData - Push notification targeting
- NorthAmerica_MasterPush_Segmentation - Marketing segmentation
- Customer_360_SFMC_Preferred_Store - Salesforce Marketing Cloud data
- RatingsAndReviews_SourceData - Customer review data
- RetailPurchases_Last30_SourceData - Recent transaction data
This is marketing tech infrastructure. Email addresses, purchase behavior, marketing preferences. Valuable for targeted phishing campaigns, but not the full PII profiles Everest advertised.
What This Means For Affected Customers
The 72.7 million unique email addresses are real. If you've shopped at Under Armour, your email is likely in this dataset along with your purchase history and marketing preferences. That's enough for convincing phishing attempts that reference your actual buying behavior.
What's probably not exposed: your home address, phone number, or payment information. The forum analysis suggests those fields either weren't captured by the marketing systems that were compromised, or weren't populated in the exports Everest obtained.
What This Means For Under Armour
Two months of silence while a class action lawsuit gets filed and millions of customers check breach notification services is a communications failure regardless of what's in the data. Customers are making assumptions, and those assumptions are probably worse than reality.
More importantly, this breach reveals something about their security posture. Marketing platforms sit at the edge of the network. They integrate with everything. They often get stood up by marketing teams without going through normal security review processes. Most security programs have better visibility into production databases than they do into martech, and that blind spot is exactly what Everest exploited here.
Understanding where the initial access came from and why these systems were accessible is what prevents the next incident. Cleanup without root cause analysis is just waiting for round two.
About Everest
Everest has been operating since 2020, making them unusually long-lived for a ransomware group. According to security researchers, they run three parallel revenue streams: double extortion ransomware, network access brokerage (selling access to other crews), and an insider recruitment program. Under Armour was one target in a portfolio that includes aerospace contractors, power grid operators, and government agencies.
Timeline
| Date | Event |
|---|---|
| November 15, 2025 | Breach occurs (per forum claims) |
| November 2025 | Everest adds Under Armour to leak site with 7-day deadline |
| November 24, 2025 | Class action lawsuit filed |
| January 18, 2026 | Data published on BreachForums |
| January 19, 2026 | Forum users report phone number fields are empty |
| January 21, 2026 | HIBP ingests 72.7M records |
| Present | Under Armour has not publicly acknowledged the incident |
.png)
