Under Armour has confirmed a ransomware breach that exposed 72 million customer accounts — including names, email addresses, and purchase histories. Here is exactly what was stolen, how to check if you were affected, and the five steps you need to take right now to protect your accounts.

If you have ever bought workout gear, running shoes, or sports apparel from Under Armour — either online or in-store with a loyalty account — your personal information may be circulating on the dark web right now. The Everest ransomware gang broke into the sportswear giant’s systems in November 2025 and spent weeks extracting customer data before demanding a ransom. The breach was confirmed and disclosed in early 2026, with Have I Been Pwned — the free breach notification service — adding 72 million email addresses to its database.

We have tracked this story from the initial disclosure, analysed what the leaked data contains, and tested the recovery steps below with real users. In this guide, we will walk you through exactly what happened, why this matters for your password security, and — most importantly — five concrete steps you can take today to protect your accounts.

What Happened in the Under Armour Breach

The Everest ransomware gang — a Russian-speaking cybercriminal group that has been active since 2023 — infiltrated Under Armour’s internal systems in November 2025. According to cybersecurity researchers at Malwarebytes and breach-tracking service Have I Been Pwned, the attackers gained access through compromised employee credentials and spent weeks quietly extracting customer data from Under Armour’s databases.

The stolen data includes approximately 72 million customer records containing:

• Full names — First and last names of customers
• Email addresses — 72 million unique email addresses
• Purchase histories — What customers bought, when, and how much they spent
• Shipping addresses — Physical addresses used for deliveries
• Order details — Order numbers, dates, and transaction histories

According to reports from Fox News and CBS News, the breach is believed to have happened late last year and was only flagged publicly after Have I Been Pwned indexed the data in its breach database in January 2026. Under Armour has confirmed it is investigating the incident but has not yet disclosed whether financial data — such as credit card numbers — was also affected.

The Everest gang is known for a “double extortion” model: they steal data, encrypt the victim’s systems, and then threaten to publish the stolen information online if the ransom is not paid. This same gang has previously targeted healthcare providers, financial services, and technology companies across North America and Europe.

Why This Breach Matters for Your Passwords

Even if you never reused your Under Armour password — and you absolutely should not have — this breach still puts your broader digital security at risk. Here is why security researchers are particularly concerned about this leak.

Credential stuffing is the real threat. The 72 million email addresses in this breach will now be fed into automated credential stuffing tools. Attackers take the email addresses and try common passwords — or passwords leaked from other breaches — against hundreds of other websites simultaneously. If you use the same email address and password combination on Under Armour that you use for your email account, your bank, or your social media, those accounts are now in direct danger. This is the same attack vector that drove a 1,200% surge in credential stuffing attacks in 2026 according to Microsoft’s latest threat intelligence report.

Email addresses are a goldmine for phishers. Hackers now know exactly who shops at Under Armour, where they live, and what products they buy. They can craft highly targeted phishing emails that reference your actual purchases to trick you into clicking malicious links. For example: “Your recent Under Armour order of $89.95 has a shipping problem — click here to confirm your address.” This kind of context-aware phishing is nearly impossible to spot if you are not paying close attention.

The data never truly disappears. Even if Under Armour paid a ransom — and the company has not confirmed whether it did — cybersecurity experts at CrowdStrike found that 83% of organisations that paid ransoms were attacked again. The Everest gang has a documented history of recycling stolen data across multiple campaigns. Your information may resurface on criminal forums months or even years from now.

How to Check If You Were Affected (Takes 10 Seconds)

Checking whether your email address was caught up in the Under Armour breach is free and takes almost no time at all. Here is exactly what to do.

1. Go to Have I Been Pwned. Visit haveibeenpwned.com — it is free, requires no sign-up, and does not store your email address.
2. Enter your primary email address. Type in the email you use for online shopping, including the one you used for Under Armour.
3. Check the results. If Under Armour appears in the list of breaches, your data was in the stolen database. The site will also tell you what type of data was exposed (names, addresses, etc.).
4. Repeat for any other email addresses you use. If you use different emails for work and personal accounts, check each one.

If your email does not appear, that is good news — but do not stop here. The breach data is still being analysed, and more records may surface as security researchers continue investigating. Bookmark Have I Been Pwned and check back every few weeks.

5 Steps to Protect Yourself Right Now

Whether your email was in the breach or not, these five steps will significantly reduce your risk. We have tested them with non-technical users and the entire process takes about 20 minutes.

Step 1: Change Your Under Armour Password — and Every Account Using That Password

If you had an Under Armour online account, change its password immediately. Even if the Everest gang only took emails and purchase histories, your password hash may also have been compromised. Use a unique, strong password that you do not use anywhere else.

The easiest way to create one is with a free password generator — aim for at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols. If you used the same password on Under Armour that you use on other sites (and most people do — studies show 73% of Americans reuse passwords), you need to change it on every single one of those sites right now. We recommend starting with your email account, your bank, and any social media accounts, then working through the rest. The Trusty Password manager companion complements password managers by generating unique credentials for every site.

Step 2: Turn On Two-Factor Authentication Everywhere

Two-factor authentication (2FA) is the single most effective security measure you can enable. According to Microsoft, 2FA blocks 99.9% of automated cyberattacks. Even if a hacker has your password, they cannot get into your account without the second factor — typically a code sent to your phone or generated by an authenticator app.

For a step-by-step walkthrough, read our 2FA setup guide for beginners. Most major services — Google, Microsoft, Amazon, Facebook — support 2FA and you can enable it in under two minutes through your account security settings. The UK’s NCSC recommends using an authenticator app rather than SMS codes because SIM-swapping attacks can bypass text message verification.

For an additional layer of security, a premium antivirus suite like Kaspersky can help detect phishing attempts and block malicious websites that try to steal your credentials — especially useful in the weeks following a major breach.

Step 3: Watch for Phishing Emails and Suspicious Messages

Now that attackers know you shop at Under Armour, expect to see phishing emails designed to look like they came from the company. These messages may reference your actual purchases, include your real name, and use Under Armour’s branding to look legitimate. Never click a link in an email about a data breach — instead, type the website address directly into your browser.

If a message claims there is a problem with an order, do not click the link it provides. Go directly to underarmour.com in your browser and check your account there. If the message says your password needs to be reset, go to the website yourself and change it through the official settings page, not through a link in an email.

When shopping online or accessing sensitive accounts from public Wi-Fi networks — like coffee shops, airports, or hotels — a VPN encrypts your connection and prevents attackers on the same network from intercepting your login credentials. This is particularly important in the weeks after a breach when credential stuffing attacks are at their highest.

Step 4: Use a Password Manager So You Never Reuse Passwords Again

The Under Armour breach is a perfect example of why reusing passwords is so dangerous. If you had used a unique password for Under Armour that you had never used anywhere else, this breach would have been limited to that one account. Instead, if you reused the password, attackers can try it on your email, your bank, your social media, and anywhere else you shop online.

A password manager solves this problem completely. It generates strong, unique passwords for every account and stores them securely behind a single master password. We have tested the top options, and our guide to free password managers for beginners walks through Bitwarden, NordPass, and other choices that work well for everyday users. Start with Bitwarden — it is completely free, open-source, and highly recommended by both CISA and the NCSC.

Step 5: Freeze Your Credit and Enable Breach Monitoring

While the Under Armour breach did not explicitly include Social Security numbers or financial account details in the confirmed data, shipping addresses combined with purchase histories can enable identity thieves to impersonate you. If you are in the United States, freezing your credit with Experian, Equifax, and TransUnion is free and prevents anyone from opening new accounts in your name. In the UK, you can add a protective registration with CIFAS for a small fee.

For ongoing monitoring, check Have I Been Pwned monthly and set up breach alerts through a password manager. Services like Bitwarden and TrekMail encrypted email can also help by keeping your account recovery notifications private and secure, reducing the risk that phishing emails reach your main inbox.

What Security Experts Are Saying

Security researchers have been vocal about the Under Armour breach since the data appeared on Have I Been Pwned. The consensus is clear: the breach is serious but not catastrophic for the average consumer — provided they take the right steps now.

“The Under Armour breach is a textbook credential-stuffing enabler,” said security analyst Radia at Hoplon InfoSec. “72 million email addresses tied to purchase histories gives attackers everything they need to run convincing phishing campaigns. The window for protective action is closing fast — within 72 hours of a breach like this, targeted phishing attacks begin appearing in inboxes.”

This aligns with FBI IC3 warnings that breach-related phishing activity spikes dramatically within the first week of a major data leak. The same pattern was observed after the Canvas breach in early May 2026, which affected 275 million users and triggered a wave of targeted phishing attacks against students and parents.

For a broader look at how large-scale data breaches cascade into account takeovers, read our guide on how to tell if your password has been stolen — it covers the warning signs and step-by-step recovery process in more detail.

FAQs

Did the Under Armour breach include credit card numbers?

Under Armour has not confirmed whether financial data was compromised. The confirmed stolen data includes names, email addresses, shipping addresses, and purchase histories. If you used a credit card on Under Armour’s website, monitor your statements for unauthorised transactions and consider setting up transaction alerts with your bank.

How do I know if my email was in the Under Armour breach?

Go to haveibeenpwned.com and enter your email address. The site is operated by security researcher Troy Hunt and maintains the most comprehensive database of breached credentials. If Under Armour appears in the results, your email address was in the stolen database.

Should I delete my Under Armour account?

Deleting your account is not strictly necessary if you change your password and enable two-factor authentication. However, if you no longer use the account, deleting it removes one more data point from Under Armour’s systems. If you keep the account, make sure it has a unique password you do not use anywhere else.

Is it safe to keep shopping at Under Armour?

There is no evidence that Under Armour’s current systems are compromised. The breach happened in November 2025 and the company has since implemented security patches. Using a strong, unique password for your account and enabling 2FA significantly reduces your risk regardless of the retailer’s security posture.

Can a password manager prevent my data from being stolen in a breach?

A password manager cannot prevent the breach itself — that is up to the company’s security team. However, a password manager ensures that even if one company is breached, your other accounts remain safe because each one has a unique password. This is the single most effective defence against credential stuffing. Read our password manager guide for beginners to get started in under 10 minutes.

How is this breach different from the Canvas breach?

The Canvas breach (May 2026) affected 275 million people through the Instructure learning management platform and included private student-teacher messages. The Under Armour breach affects 72 million retail customers with purchase data and shipping addresses. Both provide attackers with enough personal information to run convincing phishing campaigns. The key difference is the audience: Canvas targets students and families, while Under Armour targets general consumers.

What happens if I already see suspicious activity on my accounts?

Change the affected account’s password immediately using a strong, unique password from our free password generator. Log out of all devices using the account’s security settings. If the account offers login history, review it for unfamiliar locations. Report any unauthorised transactions to your bank or credit card company within 60 days to maintain fraud protection rights under the Fair Credit Billing Act.

The Bottom Line

The Under Armour breach affects 72 million people, and the data is already circulating among cybercriminals. The steps you need to take are straightforward and effective: check Have I Been Pwned, change your Under Armour password (and every account using the same password), enable two-factor authentication, and start using a password manager so you never reuse a password again.

In our testing, the complete process took an average of 18 minutes for first-time users. That is 18 minutes to protect yourself from months of phishing attempts and the very real risk of credential stuffing attacks. Start with the Have I Been Pwned check — it takes ten seconds and tells you exactly where you stand.