Adidas investigates third-party data breach after criminals claim they pwned the sportswear giant

Adidas investigates third party breach

Adidas is investigating a data breach at a third-party partner after hackers claimed to have stolen technical data and consumer information from the sportswear giant. The company confirmed the incident involves an independent licensing partner and distributor responsible for martial arts products. This partner operates its own IT systems separate from the primary Adidas infrastructure.

The investigation began after a group claiming to be Lapsus$ posted evidence of the compromise on BreachForums on February 16. The hackers alleged they gained access to the Adidas extranet and exfiltrated a significant amount of data. Adidas has not yet confirmed the exact date the intrusion occurred or how the hackers gained entry to the partner's systems.

An Adidas spokesperson told reporters that there is currently no indication that the company's internal IT infrastructure or e-commerce platforms were compromised. The company maintains that consumer data stored on its primary servers remains secure. This breach highlights the ongoing risks associated with third-party vendors and the security of the broader retail supply chain.

Hackers claim massive data theft

The attackers claim to have stolen 815,000 rows of information from the Adidas extranet. This data reportedly includes a mix of personal identifiers and internal technical documentation. The hackers shared screenshots of the stolen files to verify their claims on the Daily Dark Web.

The leaked data allegedly contains several categories of sensitive information:

• First and last names of users
• Email addresses and account passwords
• User birthdays and company names
• Extensive technical data and system configurations

Adidas has declined to verify the specific contents of the stolen files or the total number of individuals affected. While the company claims its own systems are safe, the exposure of 815,000 rows of data presents a significant identity theft risk for the individuals involved. Security researchers often see such data used in follow-up phishing attacks and credential stuffing campaigns.

Internal systems remain secure

Adidas officials emphasized that the breach did not touch the core Adidas network. The company describes the affected entity as an independent licensing partner that manages its own digital security. This distinction allows Adidas to distance its primary consumer databases from the current security failure.

The company has not provided details regarding the security protocols required for its licensing partners. The Verge reached out to Adidas for clarification on whether the partner was compliant with standard corporate security audits. Adidas did not answer questions about the timeline of the compromise or the specific technical data the thieves pilfered.

This incident follows a previous security failure in May 2025. During that event, Adidas notified customers that an unauthorized person stole data from a third-party customer service provider. These recurring third-party incidents suggest that while Adidas secures its own perimeter, its partners remain a vulnerable entry point for cybercriminals.

The chaotic history of Lapsus

The Lapsus$ group gained international notoriety between 2021 and 2022 during a high-profile crime spree. The group consists primarily of teenagers and young adults who use unconventional methods to bypass sophisticated security. They do not rely solely on software vulnerabilities to breach corporate networks.

Lapsus$ utilizes a variety of aggressive tactics to gain access to corporate data:

• Social engineering: Calling help desks to reset passwords or bypass security checks.
• SIM swapping: Highjacking phone numbers to intercept multi-factor authentication codes.
• Insider threats: Paying employees of target organizations for their login credentials.
• MFA fatigue: Bombarding employees with login requests until they accidentally approve one.

The group previously targeted some of the largest technology and telecommunications firms in the world. Their victim list includes Microsoft, Nvidia, Samsung, and BT. They also successfully breached Vodafone, Revolut, and the identity management firm Okta. These attacks often resulted in the theft of proprietary source code and sensitive internal communications.

New hacker collectives emerge

The landscape of the Lapsus$ group shifted significantly in late 2025. Members of the original crew reportedly joined forces with other notorious hacking groups, including Scattered Spider and ShinyHunters. This new collective operates under the name Scattered Lapsus$ Hunters.

In October 2025, this combined group listed Adidas on its leak site. The hackers claimed they had stolen more than 20 million sensitive records as far back as February 2024. This claim suggests a much larger and more persistent compromise than the 815,000 rows currently being investigated by Adidas.

The partnership between these groups combines the social engineering expertise of Lapsus$ with the technical sophistication of Scattered Spider. Scattered Spider is known for its ability to navigate complex cloud environments and exploit corporate help desks. This collaboration increases the threat level for multinational corporations that rely on distributed workforces and third-party vendors.

Legal consequences and arrests

Law enforcement agencies have actively pursued members of the Lapsus$ crew since their initial rise. In March 2022, UK police arrested seven individuals between the ages of 16 and 21 for their alleged roles in the group’s activities. Authorities later released several of these suspects pending further investigation.

Later that same month, police re-arrested and charged two teenagers for their direct involvement with the cybercrime gang. Despite these arrests, the group’s activity has persisted through various splinter groups and new alliances. The decentralized nature of these gangs makes them difficult for international law enforcement to dismantle entirely.

The ongoing Adidas investigation will likely involve coordination with international cybercrime units to track the movement of the stolen data. Adidas must now determine if the February 2024 claims made by the Scattered Lapsus$ Hunters are accurate. If the hackers truly possess 20 million records, the scope of this breach far exceeds the initial reports from the martial arts licensing partner.