LAST UPDATED Loading...

Alleged Nike Data Breach Includes Customer Records and Internal Logs

A threat actor claims to have stolen a large Nike customer database and internal application logs, although the authenticity of the alleged breach remains unverified.
Screenshot of a cybercrime forum post in which the threat actor Nocturne claims to have breached Nike, alleging theft of millions of customer records and publishing a blurred sample of purported internal application logs.
Screenshot of the threat actor’s post alleging a June 2026 breach of Nike. BreachNews redacted the accompanying Alcon claims and blurred the published sample data to focus on the Nike allegations and avoid republishing potentially sensitive information.

Nike is allegedly the victim of a data breach after a threat actor claimed to possess a large customer database alongside what appear to be internal application logs. The material, published by a recently created forum account, allegedly contains customer records from 2026 and technical data referencing multiple Nike services. Nike had not issued any public statement at time of publication.

Threat actor claims millions of customer records

The post alleges that data was obtained from Nike systems during June 2026 and claims approximately 40 GB of compressed CSV files were exfiltrated. According to the threat actor, the archive contains customer registration and order-related information collected during 2026, with the total number of records reportedly reaching into the tens of millions.

Based on the published samples, the alleged dataset appears to include:

  • Full names
  • Email addresses
  • Phone numbers
  • Shipping addresses
  • Order information
  • Checkout metadata
  • Application logs
  • Telemetry data

BreachNews has intentionally withheld potentially sensitive information contained in the published samples.

Technical artifacts reference Nike infrastructure

The sample files contain numerous references that appear consistent with Nike’s application environment, including checkoutpreviews, com.nike.commerce.checkout.web, nike:swoosh, AWS infrastructure, and Splunk instances ending in .nike.splunkcloud.com.

Additional entries reference authentication services, OpenTelemetry collectors, internal product management components, and Nike product identifiers. One product code visible in the samples corresponds to a legitimate Nike apparel item. While these references appear internally consistent and include names associated with Nike services, they do not independently confirm that the data originated from Nike or that unauthorized access to company systems occurred.

Authenticity remains unverified

BreachNews could not independently verify the authenticity of the alleged database or determine whether the information was obtained through unauthorized access to Nike systems.

The forum account responsible for publishing the claim has little publicly established history, making independent verification especially important. Although the samples appear internally consistent and contain detailed technical references, they should not be treated as confirmation that a breach occurred.

The Nike claim was published alongside a separate alleged breach involving medical device manufacturer Alcon by the same forum account. Both claims were posted within the same thread, although BreachNews has found no evidence linking the alleged incidents beyond their publication by the same threat actor. Read our coverage of the alleged Alcon breach here.

Potential customer impact

If the claims prove authentic, the alleged exposure could affect a significant number of Nike customers. The combination of personal information, order history, and application telemetry could increase the risk of phishing, identity fraud, and account takeover attempts.

BreachNews will post an update if Nike confirms the incident, disputes the claims, or releases additional information regarding the alleged breach.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map