-
A hacker with the username “Nocturne” claims they have millions of Nike customer records and some Alcon user registration details.
-
Nike hasn’t confirmed this claim, and neither has Alcon. There’s also no independent verification to prove the authenticity of the alleged stolen data.
-
Nike’s already knee-deep in an investigation over another breach from January 2026, where someone might’ve leaked a massive 1.4 terabytes of their internal files.
Fresh claims about more stolen data have surfaced on a dark web forum, putting Nike back into the cybersecurity spotlight. A threat actor says they stole millions of customer records from the sportswear giant.
The allegations first appeared on an underground forum. A user called “Nocturne” reportedly posted databases supposedly belonging to Nike and Alcon, an eye care company. Both companies have stayed silent on the matter. No confirmation from independent security researchers that this data is authentic.
The Threat Actor’s Claims
The threat actor claimed there was a data breach involving Nike in June 2026, and they obtained customer registration information and order records. No information from previous years is reportedly part of the package.
The seller estimates the database holds millions of records, with the total number reaching eight figures. Also, the actor says they packaged the data as a compressed file that’s more than 40GB when unpacked. The post reportedly shows a screenshot with sample CSV data to back these claims.
The pattern of large-scale data claims extends to the banking sector, a hacker has claimed a breach of one million Sterling Bank customers in Nigeria.
Alcon Allegedly Targeted in Same Campaign
The same dark web post also mentions Alcon. The threat actor says the alleged breach there occurred in May 2026. The information supposedly includes customer registration details from Alcon’s MARLO platform.
Names, addresses, phone numbers, Salesforce supplier information, and internal MARLO conversation logs are also among. The actor even claims to have the source code for internal files.
A notable part of this story involves a negotiation attempt. The threat actor says Alcon initially engaged in talks after receiving sample data. They claim Alcon later ended those discussions. That prompted the actor to publish the post publicly. No evidence has surfaced to support this account.
Separate from Nike’s Earlier Incident
Nike faced a cybersecurity incident earlier this year, in January. Digital extortion group WorldLeaks claimed responsibility for the attack, saying they stole approximately 1.4TB of internal data. The leaked data includes around 190,000 files supposedly holding details related to design, manufacturing, and supply chain operations.
Nike said in its response that it is investigating the matter to ascertain if what the hacker said is true. The company noted that it takes customer privacy seriously, but never denied the hackers’ allegations.
Security researchers could not verify the full scope of what was stolen. Sample files from January appeared to contain internal documents. There was no evidence that customer payment information leaked.
Why Security Experts are Watching Closely
Security specialists pay attention to these kinds of posts on the dark web. Why? They often serve as an early indicator of actual breach incidents. Sometimes, the alleged information can be true. Other times, it may be outdated, forged, or exaggerated.
It is not uncommon for threat actors to post data samples. The attackers exploit this type of information in order to attract potential buyers or to frighten their victims into making payments. The issue with such information is that it is impossible to confirm or verify any of “Nocturne’s” claims.
Nike and Alcon might have to conduct internal investigations. The main thing to determine here is whether any data breach actually occurred. At the moment, there is no evidence indicating the compromise of customers’ personal information.
Therefore, the claims are still mere speculations on the dark web, and no one should consider them confirmation of a cybersecurity incident.