Adidas has confirmed it is investigating a third-party breach at one of its partner companies after digital thieves claimed they stole information and technical data from the German sportswear giant.

"We have been made aware of a potential data protection incident at one of our independent licensing partners and distributor for martial arts products," an Adidas spokesperson told The Register. "This is an independent company with its own IT systems."

Adidas declined to answer our questions about when the compromise occurred, or what information the crooks pilfered during the intrusion. The spokesperson added that there's "no indication that the adidas IT infrastructure, our own e-commerce platforms, or any of our consumer data are affected by the incident."

Allegations of an incident at Adidas emerged on February 16, when someone claiming to be the Lapsus$ Group posted on BreachForums (screenshot shared here on Daily Dark Web) that they compromised the sportswear giant’s extranet. According to the crooks, the stolen files – 815,000 rows of information – allegedly include: first and last names, email addresses, passwords, birthdays, company names, and "a lot of technical data."

This latest breach follows a similar, third-party security incident last year affecting the sportswear multinational in May 2025. As we reported at the time, Adidas notified customers that some of their data was stolen after an "unauthorized" person swiped it from a "third-party customer service provider."

• Adidas confirms criminals stole data from customer service provider
• Oh, great. Three notorious cybercrime gangs appear to be collaborating
• ShinyHunters allegedly drove off with 1.7M CarGurus records
• Fraudster hacked hotel system, paid 1 cent for luxury rooms, Spanish cops say

Lapsus$ is a chaotic crew of teens and young people that gained notoriety during a 2021-2022 crime spree. The gang broke into and attempted to extort telecoms giant BT, Nvidia, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta, using a mix of phone-based social engineering, SIM swapping, and even paying employees of target organizations for access to credentials and multi-factor authentication (MFA) codes.

In March 2022, UK police arrested and then released seven people, aged 16 to 21, for their alleged role in Lapsus$ activities. Police re-arrested and charged two of the teens for their involvement with the cybercrime gang later that month.

More recently, in early August 2025, the crew – or at least some of its members – joined a cybercrime collective with Scattered Spider and ShinyHunters, operating under the name Scattered Lapsus$ Hunters. Two months later, in October 2025, the extortion collab listed Adidas on its leak site, and claimed to have stolen more than 20 million sensitive records back in February 2024. ®