Lapsus$ gang claims Adidas breach, company confirms investigation
The Lapsus$ hacking gang claims to have breached Adidas Extranet, accessing data such as user names, passwords, and extensive technical information. The threat actor also said that “something bigger” is coming soon. Adidas confirmed it was investigating the incident.
According to Lapsus$, it has breached around 815,000 exposed rows of data, which are part of the Adidas Extranet, a secure, restricted-access, web-based portal designed for authorized business partners, suppliers, retailers, and employees to interact directly with the company.
The leaked data reportedly includes first names, last names, email addresses, passwords, birthdays, company information, and technical data.
Adidas is sort of used to data breaches. In May 2025, this major German multinational sportswear manufacturer confirmed that a third-party breach had led to the compromise of customer data.
This time, though, Lapsus$ also said, “Something bigger is coming, just wait. You will like it.”
On Telegram, the group explained that the dump of Adidas Extranet data wasn’t even “this big leak,” adding that it actually had around 420GB of Adidas data linked to the French market.
After reviewing Lapsus$' claims, Cybernews researchers say the gang is exaggerating its latest feat and essentially abusing Adidas as a big brand name to gain further notoriety.
That’s because the personal information in the SQL (Structured Query Language) files seems to be from customers and employees of companies that resell Adidas products. Besides, the amount of data is not that big, as it seems only 130 accounts have been affected.
Even though the possibility of launching opportunistic phishing campaigns based on this data always exists, our research team says calling it a big Adidas breach would be misleading.
“There’s no direct Adidas data involved, and the number of exposed rows is blown out of proportion: even lines such as DROP TABLE are included,” our researchers explained.
According to them, the data has actually been from a company called Double D, a French firm founded in 1994. It’s a global licensee for Adidas combat sports since 2005. However, the company confirmed it was investigating the incident "at one of our independent licensing partners and distributor for martial arts products" to The Register.
The Adidas spokesperson said there was no indication that the company IT infrastructure, its e-commerce platform, or any consumer data were affected by the incident.
Still, in a report late last year, Resecurity said that Lapsus$, together with Scattered Spider and ShinyHunters, are three of the most notorious English-speaking cybercrime groups operating today – so the danger to Adidas might well be very real.
Unlock more exclusive Cybernews content on YouTube.
