Under Armour and its popular fitness app MyFitnessPal have faced multiple significant data breaches affecting hundreds of millions of users. The 2018 MyFitnessPal breach compromised 150 million user accounts through unauthorized access in February 2018, with Under Armour disclosing the incident the following month. However, when users attempted legal action, Under Armour successfully forced the case into arbitration rather than allowing it to proceed as a class action lawsuit—meaning affected individuals had limited ability to pursue claims collectively.
More recently, a second major breach emerged in late 2025 when the Everest ransomware group claimed access to 343 GB of Under Armour’s internal company data and subsequently published approximately 72.7 million unique email addresses on a public hacking forum by January 2026, prompting law firms to investigate potential new class action lawsuits. For MyFitnessPal users who experienced the 2018 breach, the arbitration requirement meant no traditional class action settlement was available. Those affected by the 2025-2026 Under Armour breach, however, may have opportunities to participate in emerging legal actions currently under investigation by multiple law firms. Understanding the differences between these breaches, what data was exposed, and what legal options exist is critical for anyone who has used Under Armour’s products or services.
Table of Contents
- What Happened in the MyFitnessPal 2018 Data Breach?
- Why Did the 2018 Case Go to Arbitration Instead of Class Action?
- What Data Was Exposed in the 2025-2026 Under Armour Breach?
- What Are the Potential Class Action Claims for the Recent Breach?
- What Personal Information Should You Monitor After an Under Armour Breach?
- How Do You Join or Track an Emerging Class Action?
- What Does This Mean for Under Armour’s Future Accountability?
What Happened in the MyFitnessPal 2018 Data Breach?
On February 2, 2018, unauthorized individuals gained access to MyFitnessPal’s systems, exposing data from approximately 150 million user accounts. The breach remained undetected for several weeks before Under Armour announced the incident on March 29, 2018. MyFitnessPal, which Under Armour had acquired in 2015, was one of the most widely-used fitness tracking applications at the time, making this one of the largest healthcare-related data breaches on record. The exposed data included usernames, email addresses, hashed passwords, and some users’ dietary preferences, exercise routines, and body measurements—information that many people considered highly personal.
Users who learned about the breach naturally sought legal recourse, filing lawsuits claiming breach of contract, negligence, invasion of privacy, and violations of California’s unfair and deceptive business practices laws. However, Under Armour invoked the arbitration clause that users had accepted in the app’s terms of service. In a significant legal setback for affected users, the company successfully filed a motion to compel arbitration, and the case was removed from public court and sent to arbitration. This outcome meant that instead of a class action lawsuit that could have provided compensation to all affected users, individual users faced the prospect of pursuing claims alone through a private arbitration process—a far more difficult and expensive path.
Why Did the 2018 Case Go to Arbitration Instead of Class Action?
Most technology and fitness companies require users to agree to arbitration clauses in their terms of service—the legal agreement that users typically accept without reading when they download an app or create an account. These clauses state that any disputes must be resolved through arbitration (a private process with a neutral third party) rather than in court or as a class action. When Under Armour invoked this arbitration clause, courts upheld it, preventing the case from proceeding as a class action in which all 150 million affected users could have sought compensation together. The arbitration route presented serious limitations for users.
Pursuing a claim individually through arbitration requires hiring a lawyer, paying arbitration fees, and investing significant time—costs that many people cannot afford, especially when the damages per user are uncertain. This dynamic—where a company’s arbitration clause essentially shields it from meaningful accountability even when affecting millions of users—is a common complaint among consumer advocates. Had the case been allowed to proceed as a class action, a settlement could have established a claims process through which all affected users could have received compensation without individual legal action. The arbitration outcome meant that most of the 150 million affected users likely pursued no legal claim at all.
What Data Was Exposed in the 2025-2026 Under Armour Breach?
Nearly seven years after the MyFitnessPal breach, Under Armour faced a second major security incident. In November 2025, the Everest ransomware group publicly announced that it had breached Under Armour’s systems and exfiltrated 343 gigabytes of internal company data. The criminals demanded a ransom from Under Armour and, when the company either refused or failed to meet their terms, began releasing the stolen data on public hacking forums. By January 2026, approximately 72.7 million unique email addresses had been published, along with other internal company information.
This breach was particularly concerning because it exposed not just user data but internal company communications and potentially sensitive business records. Unlike the 2018 MyFitnessPal breach, which affected fitness app users specifically, the 2025-2026 Under Armour breach could have implications for anyone with an email address that appeared in the company’s systems—which could include customers of Under Armour’s various brands and products, employees, partners, and contractors. The Everest ransomware group’s track record suggests they do not simply publish data quietly; they actively market stolen data to other criminals, increasing the risk that exposed email addresses and any associated personal information could be used for phishing, spam, identity theft, or account takeovers. The difference between the 2018 and 2025-2026 breaches underscores an important point: Under Armour has now experienced two major security failures within a decade, suggesting potential systemic issues with the company’s information security practices.
What Are the Potential Class Action Claims for the Recent Breach?
Because the 2025-2026 Under Armour breach is very recent, no settlement has yet been reached and no formal class action has been certified. However, multiple law firms are currently investigating potential lawsuits on behalf of affected users. These investigations typically focus on claims similar to those in the 2018 case: breach of contract (the company failed to protect user data as promised in its privacy policy), negligence (the company failed to implement reasonable security measures), invasion of privacy (the unauthorized access to personal information violated privacy rights), and violations of state consumer protection laws such as California’s unfair and deceptive practices statute.
For individuals affected by the 2025-2026 breach, joining a class action as it develops offers significant advantages over the arbitration path that 2018 victims faced. In a certified class action, one or a small group of lead plaintiffs represents all affected users, sharing the cost of litigation and increasing the pressure on the defendant to settle. Successful settlements can provide monetary compensation to class members, reimbursement for identity theft monitoring services, or extended credit monitoring—though the amount each individual receives depends on how many people make claims against the settlement fund. An important limitation: class action compensation is typically modest per person, especially in data breach cases where the connection between the breach and actual financial harm can be difficult to prove.
What Personal Information Should You Monitor After an Under Armour Breach?
Anyone who used MyFitnessPal or Under Armour services should assume their email address and potentially other personal information may have been exposed in one or both breaches. The primary risk following data exposure is identity theft, unauthorized account access, and targeted phishing attacks. Criminals who obtain a database of email addresses often attempt to crack the associated passwords (especially if they were poorly hashed), use the email addresses for credential-stuffing attacks on other services, or sell the information to other criminals who use it for spam, phishing, or social engineering. A critical warning: if you used the same password across multiple accounts, change that password immediately on every service where you used it.
Many data breaches are followed by waves of account takeovers on unrelated services once criminals realize a password works across multiple platforms. Additionally, consider using a credit monitoring or identity theft protection service to monitor for unauthorized access to your accounts or applications for new credit in your name. Some class actions provide free monitoring services to class members as part of their settlement. While monitoring cannot prevent identity theft entirely, it can help catch unauthorized activity quickly, limiting your financial exposure. Be cautious of phishing emails claiming to be from Under Armour or MyFitnessPal regarding the breach—scammers often create fake settlement notification emails to trick people into providing additional personal information.
How Do You Join or Track an Emerging Class Action?
If you were affected by the 2025-2026 Under Armour breach and want to participate in a class action, the most important step is to monitor reputable legal sources for announcements that a class action has been filed and certified. Law firms investigating the breach (such as Chimicles Schwartz and Bank Info Security, among others) typically maintain web pages where affected users can register for updates or sign up to be potential class members. Registering your interest early does not bind you to anything but ensures you receive notice if a settlement is reached. Once a settlement is approved by the court, class members are typically notified through email or by mail.
The notification explains the settlement terms, how to submit a claim, the claim deadline, and what compensation is available. These notices should come directly from the claims administrator appointed by the court—not from lawyers or third parties asking for personal information or payment. Be extremely cautious of scams: if you receive a suspicious email about an Under Armour settlement claiming you must pay a fee or provide your Social Security number via email, it is almost certainly a scam. Legitimate settlements never ask for payment upfront from consumers, and claims administrators use secure portals, not email, for sensitive information.
What Does This Mean for Under Armour’s Future Accountability?
The fact that Under Armour has experienced two major breaches within seven years raises serious questions about the company’s approach to information security and data protection. Regulatory agencies including state attorneys general are increasingly scrutinizing companies that suffer repeated breaches, and some jurisdictions have begun imposing mandatory cybersecurity standards and breach notification requirements. The second Under Armour breach will likely trigger significant regulatory investigations, potential fines, and heightened public scrutiny of the company’s security practices.
For consumers, these repeated breaches underscore the importance of understanding that even large, well-resourced companies can fail to protect personal information adequately. The emergence of investigations into a class action for the 2025-2026 breach suggests that courts and the public may be holding Under Armour more accountable than in the 2018 case, when the arbitration clause prevented meaningful legal recourse. If the new class action proceeds successfully, it could result in a higher settlement and more visible accountability than the 2018 situation allowed. However, no settlement is guaranteed, and the legal process will take time.
You Might Also Like
- Wynn Resorts Employee Data Breach Class Action
- Tyler Technologies Ransomware Data Breach Class Action
- Progress Software MOVEit Transfer Data Breach Class Action
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: