Under Armour Probes Alleged Breach After 72M Records Leak

Gregory Zuckerman
By Gregory Zuckerman
Technology
6 Min Read

Under Armour said it is investigating claims of a data breach after a cybercriminal posted what appears to be 72M customer records on a hacking forum, sparking widespread notifications from breach-tracking service Have I Been Pwned.

According to Have I Been Pwned, the dataset includes names, email addresses, gender, dates of birth, approximate locations derived from ZIP or postal codes, and details tied to purchases. Under Armour said it has engaged external cybersecurity experts and, so far, has seen no evidence that UA.com, payment processing systems, or customer passwords were affected.

Table of Contents
A light blue Under Armour sneaker with a white sole, presented on a professional flat design background with soft blue and grey gradients.

The company characterized the share of impacted customers with information it considers “sensitive” as a small fraction of the total and pushed back on suggestions that sensitive personal data for tens of millions was exposed. Under Armour has not specified what it deems sensitive in this context or whether it plans to notify individuals directly.

What We Know So Far About Under Armour’s Data Leak

Have I Been Pwned said it obtained a copy of the data and sent alerts to roughly 72M impacted email addresses, indicating the records are at least partially valid and contactable. Such datasets often contain a mix of recent and historical entries and can include duplicates; verification typically hinges on cross-checking sample records and successful delivery of notifications.

Under Armour has not publicly identified the source of the leak. Large consumer datasets can originate from core e-commerce platforms, marketing systems, loyalty programs, or third-party vendors. The company’s decision to bring in outside incident response specialists suggests a forensic review spanning both internal systems and partners that may handle customer data.

Crucially, the company says there is no evidence of compromised payment data or passwords at this stage. That matters for risk calculus, but it does not eliminate the threat: names, emails, birth dates, and purchase histories are highly useful for targeted social engineering.

Why Non-Financial Data Still Poses Risk to Customers

Even without passwords, exposed identity data fuels convincing phishing, account recovery scams, and credential stuffing when users reuse passwords across sites. Postal code and purchase details can sharpen the lure: references to recent orders or local offers make malicious emails and texts more believable.

A vibrant orange Under Armour long-sleeve quarter-zip shirt with a black logo on the chest, presented on a professional flat design background with soft gray and white hexagonal patterns and gradients.

The FBI’s Internet Crime Complaint Center has consistently reported record losses from online fraud, with recent annual totals exceeding $12B and hundreds of thousands of complaints. Attackers often stitch together information from multiple breaches, raising the probability that a single dataset leads to downstream fraud.

Context and Regulatory Stakes for Under Armour

Under Armour has navigated major data incidents before: its MyFitnessPal platform disclosed a breach affecting 150M accounts in 2018, a reminder that consumer fitness and retail ecosystems are perennial targets. Attackers prize the scale and marketing-rich detail of these databases.

In the U.S., state data breach notification laws generally require timely disclosure if specific categories of personal information are exposed. If any affected individuals reside in the EU or UK, GDPR and similar regimes impose strict timelines, regulator notifications, and potential penalties. Clarity about what the company labels “sensitive” will determine which legal triggers apply and whether formal notice is mandatory.

What Customers Should Do Now to Reduce Their Risk

  • Be wary of emails or texts referencing Under Armour orders, refunds, or account checks. Instead of clicking links, navigate directly to official sites or apps. Treat unsolicited password reset notices as suspicious unless you initiated them.
  • If you reuse a password tied to your Under Armour account anywhere else, change it to a unique one and enable multi-factor authentication where available. Monitor payment cards and bank accounts for unusual activity and consider a credit freeze if you see signs of identity misuse.
  • You can also check reputable breach-notification services to confirm exposure and set up alerts for future incidents. Maintain healthy skepticism toward communications that include your birth date, postal code, or specific purchase details—they may be weaponizing leaked data.

What to Watch Next as the Under Armour Probe Unfolds

Key signals of severity will include:

  • Under Armour’s confirmation of the data’s origin
  • Whether any passwords or payment details are ultimately implicated
  • Whether a third-party vendor is involved

Regulatory filings, consumer notices, and any communication from alleged attackers—such as ransom or extortion demands—will frame the next phase.

For now, Under Armour’s message is that the investigation is ongoing and that its core commerce systems remain unaffected. Until the company provides a fuller accounting, customers should assume targeted phishing is the most likely near-term risk and act accordingly.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News