TL;DR: On February 16, 2026, a threat actor using the alias "LAPSUS-GROUP" posted claims on BreachForums alleging they stole 815,000 records from Adidas by accessing the company's extranet portal. Adidas says its own systems weren't touched. The breach hit a third-party licensing partner that handles martial arts products. The stolen data reportedly includes names, email addresses, passwords, birthdates, and company information. This is Adidas's second third-party breach in under a year.

What Happened

On February 16, a hacker using the "LAPSUS-GROUP" moniker dropped a post on BreachForums claiming they'd breached Adidas's extranet, a restricted web portal used by business partners, suppliers, and retailers.[1]

Their haul? Allegedly 815,000 rows of data containing:[2]

  • First and last names
  • Email addresses
  • Passwords (unclear if hashed)
  • Birthdates
  • Company names
  • "A lot of technical data" (their words)

The hackers also claim more is coming: roughly 420GB of French-only content that they say they'll release soon.[3]

Adidas Response: Not Us, It's Them

Adidas moved quickly to downplay the breach. Their statement on February 18:

"There is no indication that the Adidas IT infrastructure, our own e-commerce platforms, or any of our consumer data are affected by the incident."

Instead, Adidas says the breach hit "an independent company with its own IT systems" that serves as a licensing partner for martial arts products.[1]

Translation: Don't blame us, blame our partner.

The company hasn't disclosed when the breach actually occurred, how attackers got in, or the name of the compromised partner. Security researchers have identified the likely target as Double D, a French company that's been Adidas's global licensee for combat sports products since 2005.[3]

Second Third-Party Breach in Under a Year

Here's the pattern that should worry you: this isn't Adidas's first rodeo with vendor breaches.

In May 2025, Adidas notified customers that personal data was stolen after "an unauthorized individual gained access to a third-party system." That breach involved a customer service provider.[4]

Two vendor breaches in under 12 months. Same playbook: attack the partner, get the data, let the big brand deal with the fallout.

This is the supply chain attack strategy in action. Why hit Adidas directly when their partners have weaker security and the same access?

Who Is LAPSUS-GROUP?

The group claiming responsibility appears connected to the broader Lapsus$ ecosystem, the same hacking collective that made headlines hitting Microsoft, NVIDIA, Samsung, and Uber in 2022.[5]

Security researchers have linked this actor to the "Scattered Lapsus$ Hunters" collective, which combines elements of:

  • LAPSUS$: The original teenage-led group that hit major tech companies
  • Scattered Spider: Known for social engineering attacks on Okta, Twilio, and MGM
  • ShinyHunters: Data theft specialists operating on dark web forums

Whether this specific actor has formal ties to these groups or is just borrowing the brand is unclear. The Lapsus$ name carries weight in breach forums.

Is This as Bad as It Sounds?

Maybe not. Some researchers are skeptical of the hacker's claims.

According to Cybernews researchers who reviewed the leaked samples, the group may be "exaggerating its latest feat and essentially abusing Adidas as a big brand name to gain further notoriety."[3]

Their analysis suggests:

  • The personal information appears to be from customers and employees of Adidas resellers, not Adidas directly
  • Only around 130 accounts may actually be affected
  • The "815,000 records" claim may include duplicates or non-sensitive data

That said, even 130 exposed accounts with passwords and birthdates is a problem. And the hackers say they have 420GB more coming.

The Supply Chain Problem

Adidas isn't unique. Third-party breaches are the new normal:

  • ESA: 500GB stolen through contractor access (January 2026)
  • Aflac: 22 million records via vendor compromise
  • Korean Air: 30,000 employees exposed through supply chain attack
  • Conduent: 26 million Americans affected via government contractor

Companies invest millions in their own security while their partners run on default passwords. Attackers know this.

What You Should Do

If you've bought Adidas martial arts or combat sports gear, especially through European retailers:

  • Change your passwords: Especially if you reused them anywhere
  • Watch for phishing: Attackers have your email and name; expect targeted scams
  • Monitor your accounts: Birthdates + emails = social engineering fuel
  • Enable 2FA everywhere: Password alone isn't enough

Adidas hasn't announced any notification or credit monitoring for affected users. Given their "not our systems" stance, don't hold your breath.

The Bottom Line

Adidas got hit through a partner again. The Lapsus$ brand continues doing damage. And 815,000 records (or maybe just 130, depending on who you believe) are floating around BreachForums.

The company's response is textbook: point at the third party, claim your systems are fine, refuse to share details.

Two partner breaches in under a year suggests Adidas needs to look harder at its vendor security requirements. Your data doesn't care whose server it was stolen from.

References

  1. The Register - Adidas Investigates Third-Party Data Breach (February 2026)
  2. Cybersecurity News - Adidas Investigates Alleged Data Breach (February 2026)
  3. TechRadar - Hackers Claim Breach of Adidas Systems (February 2026)
  4. Help Net Security - Adidas Third-Party Data Breach Investigation (February 2026)
  5. Cyberpress - Adidas Data Breach: 815,000 Records Allegedly Stolen (February 2026)