Adidas Probes Third-Party Data Breach After Lapsus$ Claims 815,000 Stolen Records

Home » News
Yash Shield
News
Reading time icon 4 min. read

Calendar icon Published on

Sportswear manufacturer Adidas is currently investigating a data breach involving an independent licensing partner. On February 16, 2026, a threat actor known as “LAPSUS-GROUP” claimed to have breached the Adidas Extranet. The group stated they stole 815,000 rows of corporate data. Adidas quickly confirmed the incident is limited to a third-party distributor for martial arts products and clarified that its primary IT infrastructure remains secure.

The hacker collective posted the compromised dataset on the underground site BreachForums. They claimed the stolen information includes names, email addresses, passwords, birthdates, and technical corporate data. The group also issued a public warning that a larger release of 420GB of data linked to the French market is coming soon.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

To prevent unnecessary panic, Adidas quickly contained the public narrative. A company spokesperson clarified the scope of the breach to technology news outlets, emphasizing that direct consumer data was not impacted.

Adidas Spokerperson– “We have been made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products. This is an independent company with its own IT systems. There is no indication that the adidas IT infrastructure, our own e-commerce platforms, or any of our consumer data are affected by the incident.”

Security researchers later identified the affected partner as Double D. This French firm has served as a global licensee for Adidas combat sports since 2005. Cybersecurity experts note that the hacking group is likely exaggerating the severity of the breach to gain notoriety. Researchers examined the leaked SQL files and found that the 815,000 rows contain many useless database commands rather than pure user records. The actual personal information appears to belong to a much smaller pool of employees and resellers associated with the French distributor. “There is no direct Adidas data involved, and the number of exposed rows is blown out of proportion. Even lines such as DROP TABLE are included.”

This event marks the second time in less than a year that Adidas has dealt with a vendor-related security incident. In May 2025, the company notified customers about a separate data leak originating from an external customer service provider. These recurring issues highlight the growing risk of supply chain vulnerabilities for major global brands.

Analyzing the Claims

The table below breaks down the differences between the hacker’s initial forum post and the verified facts uncovered by security researchers.

DetailThreat Actor ClaimVerified Reality
Target SystemAdidas ExtranetThird-party martial arts licensee (Double D)
Data Volume815,000 rows of user dataIncludes raw database commands
Consumer ImpactWidespread corporate accessLimited to partner resellers and employees
Future Threat420GB of French market dataUnverified and under investigation

Securing Third-Party Access

To prevent similar supply chain breaches, organizations should adopt the following security measures for external partners:

  • Implement strict least privilege access for all external vendors.
  • Require multi-factor authentication for any partner logging into corporate portals.
  • Conduct regular security audits of all independent licensing partners.
  • Monitor dark web forums to detect unauthorized data leaks early.

Frequently Asked Questions

What exactly was stolen in the Adidas breach?

The leaked data reportedly includes names, emails, hashed passwords, and business details belonging to employees and partners of an independent Adidas licensee. Direct Adidas consumer shopping data was not affected.

Who is the Lapsus$ Group?

Lapsus-Group is a cybercrime collective known for using social engineering to compromise large corporations. They recently formed an alliance called Scattered Lapsus$ Hunters with other notable hacking groups.

Is my Adidas customer account safe?

Yes. Adidas has confirmed that its proprietary e-commerce platforms and core IT infrastructure were not breached during this incident. You do not need to change your main Adidas shopping password based on this specific event.

Why do hackers target third-party vendors?

Major brands often have highly secure internal networks. Hackers target external partners because these smaller companies sometimes lack advanced security controls. This makes the vendor an easier backdoor into the larger corporate supply chain.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages