A hacker operating under the alias “Sp1d3r” has claimed responsibility for breaching systems connected to Adidas, allegedly exfiltrating a massive trove of customer data that includes millions of records. While the German sportswear giant has confirmed a data security incident, it has pointed the finger at a third-party customer service provider as the actual point of compromise — a distinction that raises significant questions about supply chain security and corporate accountability in an era of increasingly sophisticated cyberattacks.
The breach, first reported by TechRadar, came to light when the threat actor posted claims on a well-known cybercrime forum, boasting access to a substantial volume of Adidas customer information. The data reportedly includes customer email addresses, phone numbers, and other personally identifiable information associated with individuals who had contacted Adidas customer support services.
The Scale of the Alleged Breach and What Was Taken
According to the hacker’s claims, the stolen dataset is substantial. Reports indicate the breach may involve tens of millions of customer records, though the exact figure remains a subject of dispute between the threat actor’s assertions and what Adidas has publicly acknowledged. The data allegedly encompasses contact details, transaction histories related to customer service interactions, and potentially other sensitive information that customers would have shared during support inquiries.
Adidas, in a statement provided to multiple outlets, confirmed that it became aware of unauthorized access but was careful to frame the incident as a third-party breach rather than a direct compromise of its own infrastructure. “We are aware that an unauthorized party obtained certain consumer data through a third-party customer service provider,” the company stated. Adidas added that the data involved did not include passwords or credit card information, an assurance meant to temper the severity of the disclosure in the eyes of affected customers.
The Third-Party Problem: Who Actually Got Hacked?
The identity of the third-party vendor has not been publicly confirmed by Adidas, and the company has declined to name the service provider involved. This opacity is itself a point of contention among cybersecurity professionals, who argue that consumers deserve to know which companies are handling their data and where vulnerabilities exist. When a brand as prominent as Adidas outsources customer service functions, the data shared with those vendors effectively carries the same risk profile as data held internally — yet the security standards may differ dramatically.
This pattern of third-party breaches has become alarmingly common across industries. Major corporations frequently rely on external vendors for customer support, logistics, marketing, and IT services, creating a web of data-sharing relationships that dramatically expands the attack surface. The Adidas incident echoes recent high-profile breaches at other global brands where the initial point of compromise was not the company itself but a downstream partner with weaker security controls. The 2023 MOVEit breach, for instance, affected hundreds of organizations through a single file transfer software vulnerability exploited across vendor networks.
Sp1d3r: A Familiar Name in Cybercrime Circles
The hacker known as Sp1d3r is not a newcomer to the cybercrime scene. This alias has been linked to previous data theft claims involving other major corporations, and the actor has developed a reputation for targeting organizations through their weakest links — often third-party service providers and cloud-based platforms. Security researchers have noted that Sp1d3r has been associated with breaches involving data hosted on or accessible through Snowflake, the cloud data platform that was at the center of a wave of attacks in 2024 affecting companies including Ticketmaster, Santander, and AT&T.
The modus operandi typically involves obtaining credentials — sometimes through infostealer malware, sometimes through purchasing them on dark web marketplaces — and then using those credentials to access cloud-hosted databases. The Snowflake-related incidents were particularly damaging because many affected organizations had not enabled multi-factor authentication on their accounts, leaving them vulnerable to credential-based attacks. Whether the Adidas-related breach followed a similar pattern has not been confirmed, but the involvement of Sp1d3r suggests a possible connection to this broader campaign of cloud-targeted intrusions.
Adidas’s Response and the Question of Customer Notification
Adidas has stated that it is working with the affected third-party provider and has taken steps to address the situation. The company said it has notified relevant data protection authorities, as required under regulations such as the European Union’s General Data Protection Regulation (GDPR). Under GDPR, companies that experience breaches affecting EU citizens’ data are required to notify supervisory authorities within 72 hours and must inform affected individuals if the breach poses a high risk to their rights and freedoms.
However, the speed and transparency of Adidas’s response have drawn scrutiny. Consumer advocates have pointed out that the company’s initial statements were carefully worded to minimize perceived damage, emphasizing what was not stolen (passwords and payment data) rather than providing a full accounting of what was compromised. Email addresses and phone numbers, while not as immediately dangerous as financial credentials, are highly valuable to cybercriminals for phishing campaigns, SIM-swapping attacks, and social engineering schemes. Customers whose data was exposed may face elevated risks of targeted scams for months or years to come.
A Growing Pattern of Sportswear and Retail Sector Breaches
The Adidas incident is far from isolated in the retail and sportswear sector. Nike, Puma, and other major athletic brands have all faced cybersecurity incidents of varying severity in recent years. The retail industry broadly has become one of the most targeted sectors for cybercriminals, driven by the vast quantities of consumer data these companies collect and the complex vendor relationships they maintain. According to IBM’s annual Cost of a Data Breach report, the average cost of a retail sector breach reached $3.28 million in 2024, a figure that accounts for detection, response, notification, and lost business.
For Adidas specifically, this is not the first time the company has dealt with a data security incident. In 2018, the company disclosed a breach affecting millions of customers on its U.S. website, where personal data including contact information and encrypted passwords were potentially exposed. That earlier incident, combined with this latest breach, raises questions about whether the company has sufficiently strengthened its security posture and its oversight of third-party vendors in the intervening years.
What This Means for Vendor Risk Management
The Adidas breach underscores a fundamental challenge facing large enterprises: no matter how strong internal security measures may be, the chain is only as strong as its weakest vendor. Third-party risk management has become a board-level concern at major corporations, yet many organizations still lack comprehensive visibility into how their data is stored, processed, and protected by external partners.
Industry experts recommend several measures that companies like Adidas should implement — or verify are already in place — to mitigate third-party risk. These include requiring vendors to adhere to specific security frameworks such as SOC 2 or ISO 27001, mandating multi-factor authentication for all access to shared systems, conducting regular security audits of vendor environments, and establishing contractual obligations for breach notification timelines. Some organizations have gone further, implementing zero-trust architectures that limit vendor access to only the specific data and systems necessary for their function.
The Road Ahead for Affected Customers
For the millions of customers potentially affected by this breach, the immediate steps are familiar but important. Security professionals recommend monitoring email accounts for phishing attempts, being wary of unsolicited communications that reference Adidas or customer service interactions, and considering the use of unique email addresses for different online accounts to limit exposure from any single breach. While Adidas has stated that no passwords were compromised, customers who reuse passwords across services should take this as an opportunity to update their credentials and enable multi-factor authentication wherever possible.
The broader takeaway from the Adidas incident is that consumers have limited control over how their data is handled once it is shared with a company — and even less visibility into the chain of vendors that may ultimately process that information. As regulatory frameworks like GDPR and the California Consumer Privacy Act continue to evolve, pressure is mounting on companies to not only protect data within their own walls but to ensure that every partner in their supply chain meets equivalent standards. Whether Adidas and its peers will rise to meet that challenge remains to be seen, but the cost of failure — measured in customer trust, regulatory penalties, and brand reputation — continues to climb with each successive breach.


WebProNews is an iEntry Publication