Sorb, a vendor on the breach forum claimed to sell the data that was allegedly stolen in a cyberattack from American footwear and apparel industry leader Nike’s Customer Relationship Management (CRM) software.
The cybercriminal, who appears to have joined the breach forum in 2023, said on January 9, 2025, that they exfiltrated over 11.9GB of data with over 42,000,000 log lines. The data includes IP address, physical address, email, proxy details, shoe size, time of logs, and Discord ID among others.
The information collected between 2020 and 2024 includes sensitive log details. Sorb wrote they accessed the ESNKRS raffle bot to exfiltrate the data, which conducts lotteries for the footwear giant on platforms such as Telegram and Discord.Â
Threat Intelligence platform Falcon Feeds shared additional details about the Nike data sale with TechNadu. Among them were screenshots of the post with samples of data as proof including email ID, location, and statistics on the information.
"The breach originated from the ESNKRS Raffle Bot, a platform that facilitates the use of bots for sneaker raffles. The leaked data appears to involve customers of various stores supplying Nike products, as evidenced by samples from bdgastore.com and nakedcph.com," Falcon Feeds said to TechNadu.
The data was offered for $1,300 on the breach forum.
Nike was in the news after a 25-year-old man infiltrated the company’s systems. Andrew Kelly had no formal training in coding, but the police found evidence of him boasting about his hacking skills and that he entered other websites, including The Cooperative Group and Ubisoft Entertain SA.
He confessed to amassing thousands of proxy IP addresses. However, he was not sternly penalized because he had not conducted fraudulent activity using the credentials. Kelly did not display any ulterior motives for the crimes, the court said in the sentencing remarks.Â
While this incident happened over four years ago, the possibility of hackers misusing previously leaked Nike data now could not be denied.Â
The fraud assessment found that 277,000 customer account details were exposed. This also led to PayPal getting targeted by third-party fraudsters who used the data to make over 500 transactions.