TL;DR: Extortion group World Leaks listed Nike on its dark web leak site on January 22, 2026, claiming to have stolen 1.4 terabytes (188,347 files) of internal Nike data. The leaked directories point to product design workflows, Jordan Brand files, factory training documents, and manufacturing processes. No customer or employee records appear to be involved. Nike confirmed it’s “investigating a potential cyber security incident.” Before BleepingComputer published its story, World Leaks removed the Nike listing, suggesting ransom negotiations or payment. World Leaks is the rebranded Hunters International ransomware gang, which ditched encryption for pure data extortion in January 2025.
What Got Stolen
On January 22, 2026, the extortion group World Leaks added Nike to its Tor-hosted leak site. Two days later, they made good on the threat: 1.4 terabytes of files, dumped for anyone to download.[1]
The haul wasn’t credit cards or passwords. It was something potentially worse for Nike: the company’s playbook.
According to The Register, which reviewed the listing, the 188,347 stolen files included directories labeled “Women’s Sportswear,” “Men’s Sportswear,” “Training Resource: Factory,” and “Garment Making Process.”[2] BleepingComputer reported the data also pointed to Jordan Brand design files and supply chain documentation.[3]
Translation: product designs, manufacturing processes, and the kind of operational detail that tells you exactly how Nike makes its stuff, and how to copy it.
A Counterfeiter’s Jackpot
Here’s why this breach stings even without customer data.
Nike’s entire business model rests on brand control. The company spent $4.3 billion on demand creation (marketing and brand-building) in fiscal year 2024 alone. When factory training manuals and garment-making process documents end up on the open internet, that control erodes fast.
The Cybernews research team summed it up: “The impact of the breach would be limited to loss of competitive advantage, increased risk of counterfeit products, and possible supply-chain disruptions.”[4]
“Limited” is doing a lot of work in that sentence. Counterfeiting already costs the global fashion industry an estimated $50 billion annually. Handing out Nike’s actual production blueprints makes the counterfeiters’ job dramatically easier.
And with Jordan Brand files in the mix, this isn’t just corporate embarrassment. Jordan sneakers routinely resell for hundreds or thousands of dollars. Design leaks could tank launch excitement, fuel knock-offs, and undercut a product line that generated $7.1 billion in Nike’s fiscal 2024.[2]
Nike’s Response: “Investigating”
Nike told BleepingComputer: “We always take consumer privacy and data security very seriously. We are investigating a potential cyber security incident and are actively assessing the situation.”[3]
The company declined to confirm what data was taken, how the attackers got in, or whether any ransom was paid.[2]
Here’s the tell: before BleepingComputer published its article, World Leaks quietly pulled the Nike listing from its leak site.[3] That usually means one of two things: active negotiations or a payout. The group doesn’t remove listings out of kindness.
Who Is World Leaks?
World Leaks isn’t some newcomer. It’s Hunters International with a fresh coat of paint.
Hunters International surfaced in late 2023 and racked up over 280 attacks. Security researchers flagged it as a likely rebrand of the Hive ransomware gang: the two shared at least 60% of their code, and affiliates referred to Hunters International as “хайв” (Hive in Russian).[5]
On November 17, 2024, the group’s leadership posted a message saying the ransomware business had become “risky and unprofitable due to actions taken by government bodies.” They weren’t quitting, though. They were pivoting.[5]
On January 1, 2025, World Leaks launched as a pure data-extortion operation. No more encrypting victim systems. No more ransomware. Just steal the data, threaten to publish it, and wait for payment.[5]
The new model is faster, quieter, and harder to detect. Affiliates get a custom exfiltration tool built to automate data theft. No encryption means fewer red flags for endpoint security. By the time victims notice, the files are already gone.[5]
Since May 2025, World Leaks has claimed over 30 victims. Nike is the biggest name on the list, but not the first high-profile target. In June 2025, the group hit a third-party supplier for Swiss bank UBS, leaking data on 130,000 employees. Other victims include Dell (July 2025), the U.S. Marshals Service, Tata Technologies, and U.S. Navy contractor Austal USA.[3][5]
Sportswear’s Bad Month
Nike isn’t even the only sportswear giant dealing with this right now.
Under Armour disclosed its own breach in January 2026 after the Everest ransomware gang published stolen data. According to Have I Been Pwned, 72.7 million Under Armour accounts were exposed, including email addresses, hashed passwords, and personal details.[6]
Two of the world’s biggest athletic brands, both breached in the same month. Nike lost its corporate blueprints. Under Armour lost its customers’ data. Different attack groups, different targets within the companies, same result: massive organizations that couldn’t keep their data locked down.
Fashion and sportswear companies have become magnets for data thieves, joining the growing roster of companies that failed to protect their data. Their global supply chains (spanning dozens of countries, hundreds of factory partners, and constant file-sharing between design teams) create an enormous attack surface. You don’t need to breach Nike’s headquarters when a factory partner in Vietnam might have weaker defenses.
Encryption Is Dead. Extortion Is the Business Now.
World Leaks represents a shift that’s reshaping cybercrime. The old ransomware playbook (encrypt the victim’s files, demand Bitcoin for the decryption key) is fading. Too many companies have decent backups now. Too many refused to pay. Law enforcement got better at seizing infrastructure.
So groups like World Leaks dropped the encryption entirely. Just grab the data and threaten to leak it. It’s cheaper to operate, harder to detect, and the leverage is just as good. A company might restore from backups after a ransomware attack. But they can’t un-leak proprietary designs that are already circulating on Tor.
Group-IB, the threat intelligence firm tracking the Hunters International-to-World Leaks transition, called it “a troubling evolution in cybercrime: a sharper focus on pure data extortion that is becoming more targeted and aggressive.”[5]
For companies like Nike, this is the worst version of the threat. Traditional ransomware was disruptive but temporary. Data extortion is permanent. Once those factory blueprints hit a leak site, they’re out there forever.
What to Watch
Did Nike Pay?
The removal of the listing from World Leaks’ site strongly suggests active negotiations or payment. Nike hasn’t confirmed either. Watch for SEC filings: publicly traded companies must now disclose material cybersecurity incidents within four business days under the SEC’s 2023 rule.
Customer Data Exposure
So far, this looks like a corporate IP theft, not a consumer data breach. But the investigation is ongoing. If employee records, partner data, or consumer information surfaces in the dump, the regulatory picture changes fast.
Supply Chain Fallout
If factory processes and supplier relationships are in those files, Nike’s manufacturing partners may face their own exposure. Counterfeit operations could use the stolen blueprints to produce more convincing fakes faster.
SEC Disclosure
Under current SEC rules, Nike must report material cyber incidents. The clock is ticking. How Nike characterizes the breach (material or not) will signal how seriously they’re treating the stolen data.
What Nike Customers Should Do
Right now, there’s no evidence that Nike customer accounts, payment data, or personal information were compromised. The stolen files appear to be internal corporate and manufacturing documents.
That said:
- Watch your Nike account. If you have a Nike or SNKRS account, enable two-factor authentication if you haven’t already. Change your password if you reuse it elsewhere.
- Be skeptical of “Nike breach notification” emails. Scammers love piggybacking on real breach news with phishing emails. Nike hasn’t sent breach notifications because no customer data appears compromised. Any email claiming otherwise is likely fake.
- Monitor for counterfeit spikes. If you buy resale sneakers, expect more convincing fakes hitting the market in the coming months. Stick to verified resale platforms like StockX, GOAT, or Nike’s own channels.
The Bottom Line
Nike didn’t lose your credit card number. It may have lost something more valuable: the blueprints to its entire product operation. In a world where counterfeiting is already a multi-billion-dollar problem, handing out factory manuals and design files is the kind of breach that doesn’t show up in identity theft statistics, but reshapes an entire market.
World Leaks pulled the listing. Nike is “investigating.” The data is either being negotiated over or it’s already been paid for. Either way, the files existed on a public leak site for at least two days. That’s enough time for anyone watching to grab a copy.
The new cybercrime model isn’t about locking your files. It’s about taking them and daring you to let the world see. And right now, Nike is finding out what that feels like.
References
- Security Affairs: Nike Is Investigating a Possible Data Breach After WorldLeaks Claims (January 2026)
- The Register: Data Thieves Claim They Stole 1.4 TB From Nike (January 26, 2026)
- BleepingComputer: Nike Investigates Data Breach After Extortion Gang Leaks Files (January 27, 2026)
- Cybernews: Nike Data Breach: Hackers Post Company Data (January 2026)
- BleepingComputer: Hunters International Rebrands as World Leaks in Shift to Data Extortion (2025)
- The Register: Under Armour Breach Context (January 2026)