Adidas has confirmed it is actively investigating a data breach at one of its independent licensing partners after threat actors claiming to be the Lapsus$ Group posted allegedly stolen data on BreachForums. The incident highlights the ongoing risks posed by third-party vendor relationships in enterprise supply chains.
What Happened
On February 16, 2026, someone purporting to represent the notorious Lapsus$ Group posted on BreachForums claiming to have compromised Adidas’s extranet. According to the original report from The Register, the alleged stolen dataset contains 815,000 rows of information including:
- First and last names
- Email addresses
- Passwords
- Birthdays
- Company names
- “A lot of technical data”
Adidas Response
An Adidas spokesperson confirmed to The Register that the company is investigating a “potential data protection incident” at one of their independent licensing partners and distributors for martial arts products. Critically, Adidas emphasized that this is an independent company operating its own IT systems.
The spokesperson stated there is “no indication that the Adidas IT infrastructure, our own e-commerce platforms, or any of our consumer data are affected by the incident.” However, the company declined to specify when the compromise occurred or what specific information may have been stolen.
Pattern of Third-Party Breaches
This incident marks the second third-party security breach affecting Adidas in less than a year. In May 2025, the sportswear giant notified customers that data was stolen from a third-party customer service provider after an unauthorized intrusion.
The recurring pattern underscores a critical vulnerability facing large enterprises: their security is only as strong as their weakest vendor. Third-party risk management has become one of the most challenging aspects of enterprise security programs.
Who is Lapsus$?
Lapsus$ is a chaotic cybercrime group composed primarily of teenagers and young adults who gained notoriety during a prolific 2021-2022 crime spree. The gang successfully breached high-profile targets including:
- BT (British Telecom)
- Nvidia
- Microsoft
- Samsung
- Vodafone
- Revolut
- Okta
The group employed creative attack methods including phone-based social engineering, SIM swapping, and even paying employees of target organizations for access to credentials and multi-factor authentication codes.
In March 2022, UK police arrested seven individuals aged 16-21 for their alleged involvement. Two were subsequently charged.
The Scattered Lapsus$ Hunters Connection
In August 2025, Lapsus$ members allegedly joined forces with two other notorious cybercrime groups—Scattered Spider and ShinyHunters—forming a collective called “Scattered Lapsus$ Hunters.” This collaboration of some of the most effective cybercriminal crews represents a significant threat escalation.
In October 2025, this extortion collective listed Adidas on its leak site, claiming to have stolen over 20 million sensitive records in a February 2024 breach—suggesting the sportswear giant may have been a persistent target.
Implications for Organizations
This breach reinforces several critical lessons for security teams:
- Third-party risk is first-party risk: Your security posture includes every vendor, partner, and contractor with access to your data
- Supply chain attacks continue to pay off: Threat actors increasingly target smaller partners to reach larger organizations
- Threat actor collaboration is increasing: Groups like Scattered Lapsus$ Hunters demonstrate that cybercriminals are pooling resources and expertise
- Data compartmentalization matters: Adidas’s architecture apparently limited the breach to a partner’s systems—a security win
Source: The Register
