Everest Ransomware Claims Massive Under Armour Data Leak Affecting 72.7 Million Accounts

The Everest ransomware crew is once again claiming a marquee victim, this time alleging it has siphoned a vast trove of customer data from Under Armour and leaked it onto a cybercrime forum. If verified, the incident would rank among the largest retail data exposures in recent memory and highlight how modern ransomware campaigns can linger long after an initial intrusion.

The scale of the alleged breach comes from Have I Been Pwned, which says it ingested data tied to 72.7 million Under Armour accounts. The files, shared by a purported Everest affiliate on January 18, include names, email addresses, dates of birth, gender markers, geographic information, and records of past purchases. That combination moves well beyond simple contact data, providing a detailed snapshot of customer behavior and identity attributes.

Under Armour has not publicly confirmed the incident. The company did not respond to questions when reports of a ransomware attack surfaced in November and has yet to comment following the appearance of the leaked files. In the absence of an official statement, uncertainty has filled the gap for customers who do not know whether additional data types, such as passwords or payment information, were also compromised.

Everest first drew attention to the alleged attack roughly two months ago when it listed Under Armour on its leak site. The group threatened to publish stolen data unless an undisclosed ransom was paid within a week. Beyond the information confirmed by Have I Been Pwned, Everest claims the cache also contains phone numbers, physical addresses, loyalty program data, and preferred store locations. Those details would significantly increase the value of the dataset to downstream criminals.

Legal action followed quickly. The law firm Chimicles Schwartz Kriner and Donaldson-Smith filed a proposed class action lawsuit on behalf of an Under Armour customer soon after Everest publicized its claims, a familiar sequence in large consumer data incidents where silence from the victim company collides with public disclosures from criminals.

Security researchers view the alleged leak as emblematic of the long tail of ransomware extortion. Even when an attack is months old, the release of data can reset the clock on harm by making sensitive information widely accessible.

“One of the worst retail data breaches in recent memory, the huge leak of over 72 million Under Armour accounts is a lesson in the long-tail effects of ransomware extortion,” said John Carberry, Solution Sleuth at Xcape, Inc.

“The Everest ransomware organization has essentially given every phisher and identity thief on the dark web a ‘goldmine’ of targeted leads by revealing 343GB of data, including identities, purchase history, and geographic locations,” Carberry said. “Attackers can create extremely convincing schemes based on real customer loyalty program details and favorite retail locations thanks to the tremendous granularity of the exposed data.”

Carberry added that the public availability of the data changes the risk profile entirely. “The ‘Have I Been Pwned’ database's public release turns a private company issue into a long-term public safety risk for millions of customers, even if the breach itself probably happened months ago,” he said.

He also criticized the lack of communication around the incident. “It is also disheartening that Under Armour has remained silent in the face of these revelations, leaving customers unaware of whether their passwords or financial information was also stolen,” Carberry said.

“Combinations of purchase and personal information establish robust profiles that hackers can use for years even in the absence of passwords. Affected users are unsure about their exposure and next steps in the lack of official confirmation or instruction.”

Everest is not a new name in the ransomware ecosystem. Active since around 2020, the group has claimed attacks on a wide range of high profile targets, including aerospace suppliers, national infrastructure, and government entities. More recently, Asus confirmed it was impacted by an Everest-linked incident through a third party supplier, resulting in the compromise of internal files.

Despite that track record, Everest has largely avoided the notoriety of the most prolific ransomware brands. Analysts say that may be intentional. According to security firm Halcyon, the group operates multiple revenue streams that include traditional double extortion ransomware, brokering network access, and even recruiting insiders. The diversified model allows Everest to extract value while keeping a lower public profile.

For victims and customers, however, the effect is the same. Once data is released, control is permanently lost.

“Knowing that a public release alone causes reputational harm, ransomware groups such as Everest are using silence and delay as pressure tactics,” Carberry said. “These days, prompt notification and transparency are essential elements of crisis response rather than optional extras.”

“The breach doesn't stop when stolen data is made public; it becomes irreversible.”