-
Hacking collective Lapsus$ claims it breached Adidas’s extranet and lifted 815,000 rows of sensitive customer and corporate data.
-
A separate threat actor released a 144 GB database containing the personal information and high-definition photographs of over 5 million Salvadoran citizens, entirely for free.
-
Neither Adidas nor the Salvadoran government has issued an official statement, leaving millions of people exposed without warning.
Two major data breaches hit the headlines this week, one targeting a global sportswear giant, the other exposing a national government’s identity registry.
Together, they deliver a blunt reminder that no organisation, regardless of its size or resources, is beyond the reach of determined cybercriminals.
Lapsus$, the hacking collective already known for intrusions at Microsoft, Okta, Samsung, and Nvidia, now claims responsibility for a breach of Adidas’s extranet at adidas.com.
Separately, an unnamed threat actor has released a 144 GB archive containing the identity records and photographs of more than five million Salvadoran citizens, free for anyone to download.
Lapsus$ Hits Adidas: Passwords, Emails, and Dates of Birth Up for Grabs
Lapsus took 815,000 rows of Adidas’ extranet data, and the data is alarming. The dataset contains first and last names, email addresses, passwords, birthdates, company names, and various technical identifiers.
Analysts have said the presence of passwords is especially important. They can give criminals access to multiple credential stuffing attacks, where criminals use this login information on multiple sites, including banking sites, e-commerce sites, and social media accounts. For victims whose passwords have not been sufficiently encrypted, the chance of mass possible account compromise is very high.
Adidas has not responded to the incident, so nobody knows for sure if it did happen or it was a hoax. However, this silence carries legal consequences. The General Data Protection Regulation of the European Union states that companies must notify regulators and affected parties within seventy-two hours of being aware of any breach.
Companies that do not meet these obligations may face statutory fines of up to four percent of their total annual turnover, which in the case of Adidas, could amount to millions of euros.
There are indications that Lapsus$ uses a systematic approach, including selecting large corporations, obtaining private information, or releasing it, as a bargaining tool. Lapsus$ is not retiring but instead appears to be using Adidas in their ongoing campaigns against targeted corporations.
Industry specialists recommend that all owners of Adidas accounts change their passwords without delay, refrain from reusing credential requests, and register to use any sources that provide an alternative confirmation of identity through 2FA; i.e., verifying they are who they say they are, if offered.
Users should be aware that they could receive email scams related to the secure information released in the upcoming weeks and should know about common phishing schemes.
El Salvador’s National ID Database Surfaces Online, 5 Million Citizens Exposed
A threat actor has released a 144 GB database containing the personal records and high-definition photographs of an estimated 5,129,518 Salvadoran citizens — free of charge, to anyone who wants it. The actor had previously attempted to sell the data; the decision to release it for free dramatically widens the pool of potential misuse.
Each record ties to an individual’s DUI, El Salvador’s national identification number, and carries a clear, watermark-free photograph alongside it. The database lists each individual’s full name, date of birth, phone number, email address, and address.
Criminals can use this combination of information as an ‘identity theft tool’ to carry out identity fraud, targeted phishing, social engineering, intimidation, or physical surveillance.
This isn’t theoretical; in India, massive data leaks have already sparked a surge in fake ID extortion scams, with fraudsters weaponizing stolen identity documents to threaten victims into paying ransoms, a fate that now awaits millions of Salvadorans.
To date, the Salvadoran government has not issued a comment regarding this data breach. That silence is its own problem. When a government database becomes a free download, the damage extends beyond individual privacy, it erodes public trust in the very institutions citizens depend on to protect them.
No Sector is Safe, and Ordinary People Pay the Price
These two incidents occurred in the same week and carry the same message: hackers do not discriminate by sector, geography, or organisational size. The sportswear company and the government did not adequately safeguard entrusted data, leaving the most vulnerable individuals to bear the consequences of the breaches.
Cybercriminals are becoming more aggressive and technologically advanced, forcing private companies and public institutions to strengthen their cybersecurity efforts. When they fail, ordinary citizens pay the price.
That price is no longer just identity theft or financial loss; it can now include the terror of family extortion, as a Belgian school recently discovered when hackers turned their cyberattack into a real-world threat against students and their families.
