Adidas Hit by Second Partner Breach in Nine Months as Lapsus$ Claims 815,000 Records

Adidas is investigating claims by the Lapsus$ hacker collective that it has stolen 815,000 records from the company’s extranet through a compromised licensing partner. This is the second confirmed third-party breach affecting Adidas in nine months, raising questions about the company’s vendor oversight practices.

The breach was announced on BreachForums on 16 February by an account displaying the Lapsus$ signature logo, claiming access to “part of adidas.com extranet – 815 000 row.” According to The Register, Adidas confirmed it was “made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products.”

The stolen dataset reportedly includes names, email addresses, passwords, birthdays, company affiliations and what the attackers described as “a lot of technical data.” Adidas declined to specify when the breach occurred or detail what technical information was accessed.

Cybernews Analysis Contradicts Lapsus$ Claims

Security researchers at Cybernews examined the breach claims and concluded that Lapsus$ is “exaggerating its latest feat” and using Adidas as a high-profile brand name to gain notoriety. Their analysis suggests the personal information comes from customers and employees of companies that resell Adidas products, not from Adidas itself.

The researchers found that only around 130 accounts appear genuinely affected, with the 815,000 figure inflated by including database commands like “DROP TABLE” in the row count. According to TroyPoint, the data appears to originate from Double D, a French company that has served as a global licensee for Adidas combat sports since 2005.

That assessment feels overly generous. Even if the scale is exaggerated, Lapsus$ has demonstrated access to password data that could fuel credential stuffing attacks across multiple retail platforms.

Lapsus$ Threatens Larger Release

The group warned that “something bigger is coming” and separately claimed to hold approximately 420GB of additional Adidas-related data tied to the French market. On Telegram, Lapsus$ stated the current leak “wasn’t even this big leak,” suggesting further disclosures are planned.

Lapsus$ has re-emerged as part of a loose alliance with Scattered Spider and ShinyHunters, operating under the banner Scattered Lapsus$ Hunters. The collective gained notoriety during a 2021-2022 crime spree targeting Nvidia, Microsoft, Samsung, and BT through phone-based social engineering, SIM swapping, and employee bribery.

Adidas’ Second Partner Breach in Nine Months

This incident follows a separate third-party breach disclosed by Adidas in May 2025, when an unauthorised individual accessed customer data held by a third-party customer service provider. That earlier breach exposed contact information for customers who had contacted Adidas’ help desk but did not include payment data or passwords.

The pattern raises uncomfortable questions about Adidas’ third-party risk management. Two confirmed partner breaches in nine months suggests either inadequate vendor security requirements or insufficient monitoring of partner access controls. Under the EU’s NIS2 supply-chain provisions taking effect this year, retailers must demonstrate they had vendor controls for data minimisation, not just PCI segregation.

What Customers Should Do

Anyone who has used Adidas’ partner platforms or extranet should change passwords immediately on any accounts that share credentials with Adidas-related services. The stolen password data, even if limited in scope, provides enough material for targeted credential stuffing campaigns.

Enable two-factor authentication on retail accounts where available. Monitor bank statements for unusual activity, particularly if you have made purchases through Adidas partner retailers in recent months.

German data protection authorities and EU law enforcement agencies are investigating potential GDPR violations. So far there is no sign that payment or order systems were affected.

References

1. The Register: Adidas investigates third-party data breach
2. Cybernews: Lapsus$ gang claims Adidas breach
3. CyberPress: Adidas Data Breach – 815,000 Records Allegedly Stolen
4. TroyPoint: Adidas Data Breach Analysis
5. Help Net Security: Adidas investigates alleged data breach
6. Adidas Group: Data Security Information
7. Xictron: NIS2 Directive 2026: What Online Retailers Must Know
   

This post is also available in: Svenska

Related News

French Government Banking Database Breach Exposes 1.2 Million Account Records

A hacker breached France's national bank account registry in January, accessing personal data from 1.2 million accounts using stolen government credentials. French authorities confirmed that…

February 27, 2026