Threat Actor "Nocturne" Claims Data Breaches at Nike and Alcon
A threat actor using the alias Nocturne has posted a dark web listing alleging the exfiltration of customer data from Nike and confidential records from ophthalmology and medical device company Alcon. Neither company has confirmed the incidents.
For Nike, the actor claims a breach occurred in June 2026, involving millions of customer records estimated in the eight-figure range exclusively from 2026. The dataset, reportedly exceeding 40GB uncompressed, includes recent customer registrations and order records, packaged as CSV files in a 7z archive. A sample screenshot was provided as proof. This follows a separate claim in January 2026, when the WorldLeaks ransomware gang alleged the theft of 1.4TB of internal Nike data, including design, manufacturing, and factory files though that incident reportedly involved insider access rather than customer records.
For Alcon, the breach is alleged to have taken place in May 2026, with the stolen data encompassing a broader range of information. The dataset reportedly includes user sign-up details for Alcon’s MARLO platform (names, addresses, phone numbers), Salesforce supplier data, internal conversation logs, order numbers, and source code for internal files. A shared sample CSV revealed fields such as customer hierarchy IDs, account groups, credit limits, SAP IDs, and geographic classification data. The actor claims Alcon initially engaged in negotiations, receiving data samples before allegedly backing out of a deal, prompting the public leak. A direct message in the post criticized Alcon for failing to disclose the breach to customers.
As of now, neither Nike nor Alcon has confirmed unauthorized access to their systems, and the claims remain unverified. The scale of the alleged breaches particularly the 40GB+ dataset has prompted security teams to monitor the situation closely while awaiting official statements.
Source: https://cyberpress.org/nike-alleged-breach/
Nike cybersecurity rating report: https://www.rankiteo.com/company/nike
Alcon cybersecurity rating report: https://www.rankiteo.com/company/alcon
"id": "NIKALC1783600235",
"linkid": "nike, alcon",
"type": "Breach",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Millions (eight-figure range)',
'industry': 'Apparel/Footwear',
'name': 'Nike',
'type': 'Corporation'},
{'industry': 'Ophthalmology/Medical Devices',
'name': 'Alcon',
'type': 'Corporation'}],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['CSV', '7z archive'],
'number_of_records_exposed': 'Millions (eight-figure range '
'for Nike)',
'personally_identifiable_information': 'Names, addresses, '
'phone numbers, '
'customer hierarchy '
'IDs, account groups, '
'credit limits, SAP '
'IDs, geographic '
'classification data',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Customer records',
'Order records',
'User sign-up details',
'Salesforce supplier data',
'Internal conversation logs',
'Order numbers',
'Source code']},
'description': 'A threat actor using the alias *Nocturne* has posted a dark '
'web listing alleging the exfiltration of customer data from '
'Nike and confidential records from ophthalmology and medical '
'device company Alcon. Neither company has confirmed the '
'incidents. For Nike, the actor claims a breach occurred in '
'June 2026, involving millions of customer records estimated '
'in the eight-figure range exclusively from 2026. The dataset, '
'reportedly exceeding 40GB uncompressed, includes recent '
'customer registrations and order records, packaged as CSV '
'files in a 7z archive. For Alcon, the breach is alleged to '
'have taken place in May 2026, with the stolen data '
'encompassing user sign-up details for Alcon’s MARLO platform, '
'Salesforce supplier data, internal conversation logs, order '
'numbers, and source code for internal files.',
'impact': {'data_compromised': 'Customer records, order records, user sign-up '
'details, Salesforce supplier data, internal '
'conversation logs, order numbers, source code',
'identity_theft_risk': 'High'},
'investigation_status': 'Unverified',
'references': [{'source': 'Dark web listing by Nocturne'}],
'threat_actor': 'Nocturne',
'title': "Threat Actor 'Nocturne' Claims Data Breaches at Nike and Alcon",
'type': ['Data Breach', 'Data Exfiltration']}