Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 05, 2026 · 5 min read

Nike Is Investigating After Hackers Published 1.4 Terabytes of Internal Files

The WorldLeaks extortion gang published 190,000 files stolen from Nike, including product designs, factory audit data, and supply chain documents. Nike confirmed it is investigating but has not validated the claims.

A corporate office building at night with filing cabinets open and documents dissolving into digital data streams in indigo and blue tones

What Was Stolen

On January 22, 2026, the cybercrime group WorldLeaks added Nike to its dark web leak site. Two days later, it published 1.4 terabytes of data comprising approximately 190,000 files. Nike confirmed it is "actively assessing the situation" but has not verified the authenticity of the leaked data.

According to analysis of the published filenames by security researchers, the data appears to cover Nike's internal business operations, including:

  • Research and development files, including technical packs and prototype schematics
  • Product design documents and bills of materials
  • Factory audit reports and partner information
  • Supply chain processes, workflows, and validation documents
  • Production processes and manufacturing specifications

The leak appears to target corporate intellectual property rather than customer databases. However, factory audits and partner information could contain names, contact details, and business data of individuals across Nike's global supply chain.

Who Is WorldLeaks

WorldLeaks emerged in 2025 as the successor to Hunters International, a ransomware group that was itself a suspected rebrand of the Hive ransomware operation. The transition marked a deliberate shift in criminal business model: WorldLeaks abandoned file encrypting ransomware entirely and focuses exclusively on data theft and extortion.

The group steals data from corporate networks, demands payment, and publishes the files if the victim refuses. No encryption, no system lockouts, no operational disruption. Just theft followed by the threat of public exposure.

This aligns with a broader trend in cybercrime. As organizations improve their backup and recovery capabilities, traditional ransomware becomes less effective. Data theft and extortion requires less technical infrastructure and carries lower risk for the attackers while maintaining the same financial leverage.

The Shift From Encryption to Extortion

WorldLeaks represents the maturing of a trend that has been building for years. Cybercrime groups are discovering that stealing data is more profitable than encrypting it. Victims who can restore from backups still have to contend with the public release of sensitive information.

For companies like Nike, the threat is not operational downtime but reputational and competitive damage. Product designs, manufacturing processes, and supplier relationships are core business assets. Their public exposure could benefit competitors, complicate supplier contracts, and erode trust with business partners.

Notably, WorldLeaks later removed Nike from its leak site. This could indicate a negotiated settlement, a ransom payment, or simply a tactical decision by the group. Nike has not commented on whether any payment was made.

What Nike Employees and Partners Should Watch For

When corporate data is stolen and published, the secondary effects often matter more than the initial breach. The 190,000 files published by WorldLeaks could contain names, email addresses, and contact details of Nike employees, factory workers, and supply chain partners.

This information enables highly targeted phishing campaigns. An attacker who knows your name, employer, role, and recent projects can craft emails that are nearly indistinguishable from legitimate communications. These spear phishing attacks are the primary vector for credential theft and further network compromises.

Anyone connected to Nike's supply chain should be especially vigilant about:

  • Unexpected emails referencing specific Nike projects or documents
  • Requests to verify credentials or update account information
  • Messages from unfamiliar contacts who seem to know internal details
  • Phishing emails that reference leaked document names or project codes

Protecting Yourself After a Breach

Data breaches create a long tail of risk. The stolen information does not expire. Email addresses and names harvested from the Nike leak will circulate on dark web forums for years, feeding into phishing campaigns and credential stuffing attacks long after the initial headlines fade.

The most effective defenses are structural rather than reactive. Use unique passwords for every service. Enable two factor authentication everywhere it is available. Treat every unexpected email with suspicion, especially those that reference specific internal information.

And block the tracking pixels that help attackers confirm which email addresses are active and monitored. When a phishing email loads a tracking pixel, it tells the attacker that your address is valid, that you opened the message, and when and where you read it. Blocking that signal makes you a harder target.