Under Armour Ransomware Attack Exposes 72M Email Addresses
The Everest ransomware gang has struck again, this time targeting sportswear giant Under Armour in a cyberattack that exposed sensitive information from millions of customers worldwide.
The breach, which occurred in November 2025, involved hackers stealing 343 GB of company data before issuing ultimatum demands.
On Jan. 21, Have I Been Pwned reported that customer data from the incident was published publicly on a popular hacking forum, including 72 million email addresses. Many records also contained additional personal information such as names, dates of birth, genders, geographic locations, and purchase information.
Meet the Everest gang
The Everest ransomware group has emerged as one of the most prolific cybercriminal organizations, with Under Armour representing just their latest high-profile conquest. Operating since December 2020, the gang has evolved from simple ransomware attacks into a sophisticated criminal enterprise that also functions as an Initial Access Broker, selling network access to other hackers.
Their recent victim list reads like a Fortune 500 directory: Coca-Cola Europacific Partners, AT&T, Collins Aerospace, and the Abu Dhabi Department of Culture and Tourism have all fallen prey to Everest’s operations. These aren’t opportunistic attacks—they represent calculated strikes against global infrastructure that generates billions in combined revenue.
The group’s technical sophistication becomes clear when examining their methods. Everest operatives utilize remote access tools like AnyDesk and Splashtop for command and control, while commonly exploiting weak or stolen credentials for initial network penetration. When they do deploy ransomware, victims discover their data encrypted using AES and DES algorithms, with compromised files bearing the distinctive ‘.EVEREST’ extension.
The gang posted their Under Armour breach claims on Nov. 16, 2025, giving the company just seven days to establish contact via encrypted messaging before threatening to release all stolen information.
As the Everest gang continues expanding their criminal empire with increasingly sophisticated attacks, this incident serves as a stark reminder that no organization remains immune to determined cybercriminals operating in today’s digital landscape.
Stay safe
While the massive scale of exposed data grabs headlines, cybersecurity experts warn the real threat lies in what comes next.
George Foley, ESET Ireland security spokesperson, said, “When a well-known consumer brand is linked to a major leak, criminals move fast. They do not stop at the data that was taken. They use it to create believable follow-up emails, texts, and even phone calls that look like they are coming from the company involved. The aim is to trick people into handing over more information, clicking a link, resetting a password through a fake page, or sharing payment details.”
ESET Ireland said consumers should treat any unexpected message claiming to be from Under Armour, or referencing an account issue, delivery problem, refund, loyalty points, or “security verification”, as suspicious until proven otherwise.
Foley added, “If you get a message that pressures you to act quickly, that is a red flag. Go directly to the company’s official website or app yourself, rather than using links in messages. And if you reused the same password anywhere else, change those accounts first. Password reuse turns one leak into several compromises.”
ESET Ireland consumer guidance includes reviewing password hygiene and enabling multifactor authentication where available, being cautious about calls or texts that reference personal details and watching for highly personalised phishing attempts that use known data points to sound credible.
Cybercriminals have launched a sophisticated phishing campaign targeting LastPass customers with urgent “maintenance” alerts designed to steal master passwords.
About Author
