Adidas has confirmed it is actively investigating a potential data breach involving one of its independent third-party partners after a threat actor operating under the alias “LAPSUS-GROUP” posted claims on BreachForums on February 16, 2026, alleging unauthorized access to the sportswear giant’s extranet portal.
The actor, believed to be associated with the Scattered Lapsus$ Hunters collective, a group known for social engineering-based intrusions, claims to have exfiltrated approximately 815,000 rows of data from the Adidas Extranet, a restricted web-based portal used by authorized business partners, suppliers, and retailers to interact with the company.
The allegedly stolen dataset includes first names, last names, email addresses, passwords, birthdays, company information, and what the threat actor described as “a lot of technical data.” The group also hinted at further disclosures, stating “something bigger is coming,” and separately claimed to hold roughly 420GB of Adidas-related data tied to the French market.
“We have been made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products,” an Adidas spokesperson confirmed to The Register.
“This is an independent company with its own IT systems.” Adidas explicitly stated there is “no indication that the Adidas IT infrastructure, our own e-commerce platforms, or any of our consumer data are affected by the incident.”
This incident follows a separate third-party breach disclosed in May 2025, when an unauthorized party gained access to a third-party customer service provider used by Adidas, exposing contact details of customers who had previously reached out to the brand’s helpdesk.
In that incident, no passwords or financial data were compromised. The recurrence of third-party incidents marks a troubling pattern for the German sportswear giant, reinforcing concerns around supply chain security and vendor access management.
Adidas declined to confirm the timeline of the compromise or specify what data was accessed, leaving questions unanswered as the investigation continues.
Security experts recommend that enterprises enforce strict least-privilege access, mandate multi-factor authentication for all third-party vendor interactions, and conduct regular audits of partner-facing portals to minimize exposure from extranet-style attack surfaces.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Adidas Investigates Alleged Data Breach – 815,000 Records of Customer Data Stolen appeared first on Cyber Security News.
