Under Armour is investigating reports that email addresses tied to roughly 72 million accounts were posted online. Have I Been Pwned indexed about 72.7 million unique addresses after the set appeared on a hacking forum in January 2026. The company says there is no current evidence that UA.com, payment systems, or customer password stores were affected — but names, dates of birth, location clues, and purchase history still fuel convincing scam messages that look like they come from Under Armour or its fitness apps.

What Happened
| When | What |
|---|---|
| Nov 2025 | Everest ransomware group claimed Under Armour and alleged ~343GB of data in an extortion attempt (HIBP) |
| Jan 2026 | Customer data published on a public hacking forum; HIBP added the breach 21 Jan 2026 and notified affected addresses |
| 22 Jan 2026 | TechCrunch reports Under Armour is “aware” and investigating with outside experts |
| Field reported in the dump | Why it still hurts without passwords |
|---|---|
| Email addresses (~72.7M unique) | Direct targeting list for spoofed “UA order / MapMyRun / account” mail |
| Names, gender, date of birth | Personalized phishing and account-recovery social engineering |
| ZIP / postcode geo hints | Local “store pickup” and package-scam lures |
| Purchase-related info | Order-confirmation and refund fraud that looks legitimate |
Under Armour told TechCrunch a very small percentage of customers may have had information it considers sensitive exposed, and that claims of tens of millions of “sensitive” records are unfounded. Separately, Cybernews described a ~19.5GB release with ~72.7M emails (and far more total rows), including employee addresses and marketing/purchase data — useful raw material for spear-phishing even when login secrets stay offline.

Why Email-Only Still Matters
| Threat | What victims should expect |
|---|---|
| Brand spoofing | Fake “security,” “loyalty,” or “order update” mail from lookalike UA / MapMy* senders |
| Credential harvesting | Links to fake login pages that steal MapMyRun / MapMyFitness / store passwords you still use elsewhere |
| MFA fatigue / support scams | Calls or texts that cite real DOB or order detail from the dump |
| Reuse across breaches | HIBP noted most of these emails already appeared in prior breaches — password reuse remains high risk |
Independent Cybersecurity Audit
We scored Under Armour consumer and fitness domains plus primary reporting sources on July 14, 2026. 100% is the ideal. Sorted by overall (highest first).
| Domain | Overall | Identity | Transport | Website | Level |
|---|---|---|---|---|---|
| haveibeenpwned.com | 88% | 90% | 45% | 100% | Strong |
| mapmyrun.com | 70% | 90% | 15% | 45% | Good |
| mapmyfitness.com | 70% | 90% | 15% | 45% | Good |
| techcrunch.com | 70% | 90% | 15% | 45% | Good |
| ua.com | 54% | 50% | 15% | 45% | Average |
| underarmour.com | 52% | 45% | 15% | 45% | Average |
| Finding | Detail |
|---|---|
| Ideal score | 0 of 6 hit 100% overall |
| Soft retail identity | underarmour.com Identity 45% / ua.com 50% — weaker spoof resistance than MapMy* apps at 90% |
| Soft transport | 15% Transport on Under Armour, MapMy*, and TechCrunch — limited MTA-STS / encrypted-transport posture |
| Strongest here | haveibeenpwned.com at 88% with Website 100% |
| Phishing implication | After a 72M-email dump, soft Identity on the retail brand domains makes forged “reset your UA account” mail easier to trust |

Audit links: underarmour.com · ua.com · mapmyrun.com · mapmyfitness.com · haveibeenpwned.com · techcrunch.com
Website stack note
Passive website-tech probes on July 14, 2026 covered all six domains above (6 probed, 0 notable). No outdated CMS / PHP / short-horizon TLS alerts stood out. The operational risk in this story is leaked identity + purchase context enabling phishing, not a public WordPress core headline on these marketing domains.
What Texas Shoppers and Teams Should Do
| Audience | Action |
|---|---|
| Anyone with a UA / MapMy* account | Check Have I Been Pwned; treat unexpected UA emails as hostile until you verify in-app |
| Password reuse | Change passwords on any account that shared the same password as UA apps; enable MFA |
| Families & employees | Ignore “confirm your order / gift card / membership” links that arrive by unexpected mail or text |
| Businesses | Remind staff that retail breach dumps power BEC and vendor fraud that name real brands and purchase detail |
| Domain owners | Aim for audit 100%: DMARC p=reject, strong BIMI path where eligible, and MTA-STS — soft Identity/Transport is exactly what attackers abuse after email leaks |
Related Coverage
- Meta Muse Image / Instagram AI privacy
- Chrome vulnerability wave
- FBI IC3 cyber alerts
- All cyber alerts
Sources: TechCrunch (Jan 22, 2026); Have I Been Pwned — Under Armour; Cybernews reporting on the forum dump. Independent EmailMeNow domain audits and website-tech probes July 14, 2026. This is not legal advice.