Start Free
Tracking & Pixels

Under Armour Tracks Every Visitor With 8+ Pixels & an F Security Grade — While 222M Records Were Breached

Complete audit of every cookie, tracking pixel, and third-party script on underarmour.com — plus the security gaps that led to two of the largest retail data breaches in history.

Get This Report For Your Brand Continue reading
Data as of March 20, 2026 ~38 cookies estimated 8+ pixels · ~25 domains
Listen to this article
0:00 / 0:00
~38
Est. cookies
8+
Tracking pixels
~25
Est. external domains
222M+
Records breached
5 things you'll learn in this report:
How many tracking pixels fire on underarmour.com — and what do they collect? Why does Under Armour score F on security headers despite being a $5.2B company? How did 222 million customer records get breached across two separate incidents? How does Under Armour's tracking footprint compare to the average ecommerce site? What 5 tracking improvements can you implement from Under Armour's data architecture today?

First: Why Should You Care About Under Armour's Tracking Setup?

What a $5.2B brand's tracking reveals about the gap between data collection and data protection

Under Armour is one of the most instructive case studies in ecommerce tracking. Not because they run the most sophisticated pixel stack — but because they demonstrate what happens when tracking investment outpaces security investment. With $5.2B in revenue (FY2025, SEC filing) and 8+ tracking pixels feeding their advertising machine, their tech stack tells a cautionary story:

222M+

Under Armour has had 222 million customer records breached across two incidents — 150 million in the 2018 MyFitnessPal breach and 72.7 million in the November 2025 Everest ransomware attack. Understanding what they track — and how they failed to protect it — helps you avoid the same mistakes.

Source: CNBC (March 2018) & ClassAction.org (November 2025)
F

Under Armour scores F on security headers — only 1 of 6 standard headers present. They have HSTS (good) but lack Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. For a $5.2B public company that has been breached twice, this is a red flag. See the full breakdown in our tech stack analysis.

Source: Security header scan of underarmour.com, March 20, 2026
$5.2B

Under Armour generated $5.2 billion in FY2025 revenue — making their tracking data enormously valuable. Every pixel, every cookie, every third-party script is a data collection point across millions of visitors. When that data gets breached, the exposure is massive. Tracking isn't just about marketing — it's about the performance and security obligations that come with it.

Source: Under Armour FY2025 Annual Report (SEC 10-K)

The Cookie Breakdown

An estimated ~38 cookies dropped on a single page load — here are the notable ones

Under Armour drops an estimated 38 cookies on a single page load. Based on the confirmed tracking vendors detected via public source analysis (Google Analytics, Meta, Pinterest, Criteo, Bing, OneTrust), we estimate the split: approximately 14 advertising cookies, 10 analytics cookies, 6 functional cookies, 4 strictly necessary cookies, and 4 personalization cookies. This is roughly 58% above the ecommerce average of ~24 cookies.

37% of all cookies are advertising trackers. Meta, Google Ads, Pinterest, Criteo, and Bing each drop their own cookies to build cross-site behavioral profiles. The longest-lived cookies include Google Analytics _ga (2 years), Criteo cto_bundle (13 months), and Pinterest _pin_unauth (1 year).

Notable Cookies (Detected via Public Source Analysis)

Cookie Name Domain Type Category Expiry Purpose
_ga .underarmour.com 1st Analytics 2 years Google Analytics client ID — distinguishes unique users
_ga_* .underarmour.com 1st Analytics 2 years GA4 measurement session persistence
_gid .underarmour.com 1st Analytics 24 hours Google Analytics session grouping
_fbp .underarmour.com 1st Advertising 3 months Meta Pixel — tracks visitors for Facebook/Instagram ad targeting
_fbc .underarmour.com 1st Advertising 3 months Meta Pixel — stores click identifier from Facebook ads
fr .facebook.com 3rd Advertising 3 months Facebook cross-site ad delivery and retargeting
_gcl_au .underarmour.com 1st Advertising 3 months Google Ads conversion linker — ties clicks to conversions
_pin_unauth .underarmour.com 1st Advertising 1 year Pinterest tag — tracks unauthenticated visitors
IDE .doubleclick.net 3rd Advertising 13 months Google DoubleClick — serves and measures display ads
cto_bundle .underarmour.com 1st Advertising 13 months Criteo — behavioral retargeting identifier
_uetsid .underarmour.com 1st Advertising Session Bing Ads UET — session-level conversion tracking
_uetvid .underarmour.com 1st Advertising 13 months Bing Ads UET — persistent visitor identification
OptanonConsent .underarmour.com 1st Necessary 1 year OneTrust — stores user consent preferences
OptanonAlertBoxClosed .underarmour.com 1st Necessary 1 year OneTrust — records that user dismissed banner
Key Finding

Under Armour's security header grade of F (1/6 passing) is the most notable finding in this audit. The site lacks a Content-Security-Policy header — meaning there's no browser-level restriction on which third-party domains can load scripts. For a company that has suffered two massive data breaches (150M + 72.7M records), implementing CSP would be a basic first step toward preventing unauthorized script injection.

This cookie audit is exactly the kind of analysis LeadMaxxing generates automatically for any ecommerce site — cookie inventory, category breakdown, expiry audit, and compliance gaps — delivered to your inbox in under 60 seconds.

Tracking Pixels & Tags

8+ distinct pixels covering major ad platforms and analytics

Under Armour runs at least 8 confirmed tracking pixels, covering Google, Meta, Pinterest, Criteo, and Bing. Each fires on page load, sending data about your visit to its respective platform. Here's what we detected via public source analysis and vendor documentation:

Google Analytics (GA4) Meta Pixel Google Ads Pinterest Tag Criteo DoubleClick Bing Ads UET OneTrust
f
Meta Pixel
Advertising
Meta Pixel detected — ID redacted for privacy
Tracks page views, add-to-cart, purchase, and custom events. Sends data to Meta for Facebook/Instagram ad retargeting, lookalike audience building, and conversion optimization.
Fires: PageView on every load • AddToCart • Purchase • ViewContent
G
Google Analytics 4
Analytics
Google Analytics 4 property detected
Core web analytics. Tracks sessions, page views, scroll depth, outbound clicks, and ecommerce events. Powers Under Armour's marketing attribution and customer journey analysis across their $5.2B operation.
Fires: page_view • scroll • click • purchase • view_item
G
Google Ads Conversion
Advertising
Google Ads conversion tag detected
Measures Google Ads conversions — links ad clicks to on-site purchases. Powers automated bidding (tROAS, tCPA) across Search, Shopping, and YouTube campaigns.
Fires: conversion on purchase • remarketing on all pages
P
Pinterest Tag
Advertising
Pinterest Tag detected — ID redacted for privacy
Powers Pinterest's conversion API and audience matching. Tracks page visits, add-to-cart, and checkout events for Pinterest Shopping ads and catalog syncing.
Fires: pagevisit • addtocart • checkout
Criteo
Retargeting
Criteo OneTag detected
Display retargeting across the Criteo publisher network. Shows Under Armour product ads to visitors who browsed but didn't purchase — across thousands of third-party sites.
Fires: viewHome • viewItem • viewBasket • trackTransaction
D
Google DoubleClick
Advertising
DoubleClick Floodlight detected
Serves and measures display advertising across the Google Display Network. Enables frequency capping, cross-device tracking, and programmatic ad buying for Under Armour's display campaigns.
Fires: impression tracking • conversion measurement
B
Bing Ads UET
Advertising
Bing Universal Event Tracking detected
Tracks Microsoft Advertising conversions across Bing Search and the Microsoft Audience Network. Enables automated bidding and remarketing for Under Armour's Microsoft ad spend.
Fires: page_load • conversion on purchase • remarketing
OneTrust
Consent Management
OneTrust CookieLaw detected
Manages cookie consent banner and preference center. Categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting groups per GDPR/CCPA requirements.
Fires: on page load (before all other scripts)

What would YOUR pixel audit look like?

Under Armour runs 8+ separate pixels because they have a dedicated data team to manage them. Most brands don't need that complexity. LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have gaps — then gives you a single script that handles visitor identification, lead scoring, and platform syncing automatically.

Get this report for your brand →

Third-Party Script Audit

An estimated ~25 external domains contacted on a single page load

Loading underarmour.com triggers requests to an estimated 25 unique external domains. Your browser downloads scripts, pixels, fonts, and data from dozens of different companies before the page finishes loading. Here's the estimated breakdown by category:

Estimated Third-Party Requests by Category (underarmour.com homepage)
Advertising ~10 domains
Analytics ~5 domains
CDN / Performance ~5 domains
Consent / Compliance ~3 domains
Other / Personalization ~2 domains

Network Waterfall: What Loads and When

Here's the approximate load order when your browser requests underarmour.com. Under Armour uses Fastly CDN (confirmed via DNS: CNAME to n.sni.global.fastly.net) for edge delivery, but multiple third-party scripts fire in the first 2 seconds — before most users have even scrolled:

Estimated Network Request Timeline (underarmour.com homepage)
underarmour.com
150ms
cdn.cookielaw.org
300ms
googletagmanager.com
350ms
connect.facebook.net
500ms
www.google-analytics.com
380ms
s.pinimg.com
400ms
static.criteo.net
520ms
bat.bing.com
380ms
googleads.g.doubleclick.net
460ms
fonts.googleapis.com
1.2s
How we detected these scripts

We used two methods: (1) analyzing underarmour.com's DNS records (which reveal Fastly CDN infrastructure), and (2) cross-referencing publicly documented tracking vendors from Under Armour's cookie disclosures and privacy policy. The lack of a Content-Security-Policy header means we cannot enumerate allowed domains via CSP — which is itself a security finding. See our Tech Stack report for the full infrastructure breakdown.

Curious how many third-party domains YOUR site contacts? LeadMaxxing's free report runs a CSP + network audit on your domain and shows you exactly which vendors are loading, how they impact page speed, and which ones you can cut.

Estimated External Domains Contacted

ADS connect.facebook.net
ADS www.facebook.com
ADS googleads.g.doubleclick.net
ADS www.googleadservices.com
ADS pagead2.googlesyndication.com
ADS s.pinimg.com
ADS ct.pinterest.com
ADS static.criteo.net
ADS dis.criteo.com
ADS bat.bing.com
ANALYTICS www.googletagmanager.com
ANALYTICS www.google-analytics.com
ANALYTICS region1.google-analytics.com
ANALYTICS td.doubleclick.net
ANALYTICS stats.g.doubleclick.net
CDN n.sni.global.fastly.net
CDN fonts.googleapis.com
CDN fonts.gstatic.com
CDN images.underarmour.com
CDN cdn.underarmour.com
CONSENT cdn.cookielaw.org
CONSENT geolocation.onetrust.com
CONSENT optanon.blob.core.windows.net
PERSONAL api.bazaarvoice.com
PERSONAL display.powerreviews.com

Consent & Compliance Analysis

Enterprise consent management — but an F security grade and two massive breaches tell a different story

Under Armour uses OneTrust for cookie consent (detected via cdn.cookielaw.org), the same enterprise platform used by Nike, Adidas, and Target. But the real compliance story isn't about cookies — it's about the gap between Under Armour's consent infrastructure and their actual data protection track record:

Consent Platform

OneTrust
Enterprise-tier consent management platform, auto-categorizes cookies into Strictly Necessary, Performance, Functional, and Targeting per GDPR/CCPA

Default Behavior

Geo-Based
EU visitors see a GDPR-compliant opt-in banner. US visitors get CCPA opt-out rights. Non-essential cookies likely load by default for non-EU visitors

Security Headers

F (1/6)
Only HSTS present. Missing CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy — critical gaps for a twice-breached company

Breach History

222M+
150M records in MyFitnessPal (2018) + 72.7M records in Everest ransomware attack (Nov 2025). Combined: 222M+ customer records exposed

What Happens When You Visit underarmour.com

Here's the estimated sequence from the moment your browser hits underarmour.com:

0ms — Pre-Consent
OneTrust loads and checks your geolocation
The consent script (cdn.cookielaw.org) runs first. It pings geolocation.onetrust.com to determine if you're in the EU, UK, California, or elsewhere. This decides which consent banner (if any) you see.
100ms — Pre-Consent
Google Tag Manager fires
GTM container loads and evaluates consent state. In Google Consent Mode, it sends consent_default: denied for EU visitors and granted for everyone else. GA4 begins collecting anonymized pings regardless.
150ms — Pre-Consent
GA4 initializes
Google Analytics 4 begins tracking basic page data. Without a Content-Security-Policy header, there's no browser-level restriction on which scripts can execute — the consent layer is the only gate.
~700ms — Consent Banner Appears
OneTrust cookie banner renders
EU/UK visitors see a GDPR banner with Accept All, Reject All, or Cookie Settings options. US visitors may see a CCPA "Do Not Sell" link but most tracking fires by default.
~900ms — Post-Consent (Accept)
All ad pixels fire simultaneously
Meta Pixel, Pinterest Tag, Google Ads, Criteo, Bing UET, and DoubleClick all initialize. Each sends a PageView event with your session data to its respective platform.
~1200ms — Ongoing
Full tracking active
All estimated ~38 cookies are now set. Every click, scroll, and product view generates events routed to 8+ different platforms. Your browser maintains connections to ~25 external domains.
Notable Finding

The consent-security gap is the real story. Under Armour invests in enterprise consent management (OneTrust) to comply with GDPR/CCPA cookie regulations. But they score F on security headers — meaning there's no Content-Security-Policy to restrict which scripts can run. And they've been breached twice in 7 years, exposing 222M+ records. Consent management without matching security investment is like putting a lock on the front door while leaving the back wall open.

Not sure what fires before consent on your own site? LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly what's at risk before a GDPR regulator does.

How Under Armour Compares

Moderate tracking footprint but critically weak security posture

Is Under Armour's tracking footprint unusual? We compared their estimated setup against averages from Cookiebot's 2024 ecommerce compliance report and HTTP Archive data:

Metric Under Armour Avg. Ecommerce Difference
Total Cookies ~38 24 +58% above avg
Tracking Pixels 8+ 5 +60% above avg
External Domains ~25 22 +14% above avg
Consent Platform Enterprise CMP Basic / None Enterprise tier
Security Headers F (1/6) C (3/6) Below average
Data Breaches 2 (222M+) 0 Critical risk

Under Armour's tracking is moderately above the ecommerce average, but their security posture is critically weak. With $5.2B in revenue and advertising across multiple platforms, they need robust tracking for attribution. But the F security grade (verified via our header scan) combined with two major breaches tells a cautionary tale. Enterprise consent management means nothing if the underlying infrastructure can't protect the data being collected. See how this connects to their email and CRM strategy and SEO content approach.

Takeaway

Under Armour's tracking stack is what a $5.2B retail brand's marketing infrastructure looks like — standard enterprise-level pixels and consent. But the real lesson is the security gap: an F on headers, no CSP, and 222M+ breached records. Tracking investment without matching security investment is a liability, not an asset.

Key Findings

  • → Under Armour runs 8+ confirmed tracking pixels (Meta, Google Ads, GA4, Pinterest, Criteo, DoubleClick, Bing, OneTrust) with an estimated ~38 cookies — roughly 58% above the ecommerce average of 24.
  • → The site scores F on security headers (1/6 present) — only HSTS is implemented, with no Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy.
  • → Under Armour has suffered 222M+ records breached across two incidents: 150M in the 2018 MyFitnessPal breach and 72.7M in the November 2025 Everest ransomware attack.
  • → Despite the F security grade, Under Armour runs OneTrust enterprise consent management — creating a gap where cookie compliance is prioritized over fundamental infrastructure security.
  • → The site uses Fastly CDN (confirmed via DNS CNAME to n.sni.global.fastly.net) for content delivery, but the lack of CSP means there's no browser-level restriction on third-party script execution.

What This Data Means for You

Turning Under Armour's tracking infrastructure into your competitive advantage

You don't need Under Armour's pixel count. But you do need to avoid their security mistakes. Here's the actionable breakdown by revenue stage:

Under $5M Revenue — Start Here

Must have: GA4 + Meta Pixel + one more platform pixel (Pinterest or TikTok). Also must have: All 6 security headers. Skip: Enterprise consent, Criteo, Bing. That's 3-4 pixels vs Under Armour's 8+ — covering 80% of the value with better security.

$5M-$50M Revenue — Fill the Gaps

Add: All platform pixels where you run ads. Implement: OneTrust or a CMP for GDPR/CCPA. Critical: Add CSP headers before adding more tracking. The lesson from Under Armour: consent management without security headers is compliance theater.

The Cost Under Armour Pays

Consent management: we estimate ~$50-100K/yr. Analytics (GA360): we estimate ~$150K/yr. Retargeting: % of ad spend. CDN (Fastly): we estimate ~$100K+/yr. Breach costs: class action lawsuits, regulatory fines, brand damage — priceless. Total tracking SaaS: we estimate $400-700K/yr.

The 80/20 Alternative

You don't need 8 pixels and $500K in SaaS. LeadMaxxing identifies anonymous visitors, scores leads, tracks conversions, and syncs to your CRM with a single script for $29/month. Get 80% of Under Armour's visitor intelligence at a fraction of the cost — with better security hygiene out of the box.

LeadMaxxing Automates This Tracking Audit Playbook

Under Armour spends an estimated $400-700K/year on their tracking stack with 8+ pixels and enterprise consent. LeadMaxxing scans your site, shows you exactly which pixels are firing and where you have gaps, then gives you unified tracking with a single script — starting at $29/month.

Get your free tracking audit →

5 Things You Can Implement Today

Actionable lessons from Under Armour's tracking playbook

Run an automated cookie and pixel audit

LeadMaxxing scans your site and shows you exactly which pixels are firing, which cookies are set, and where you have gaps — the same audit you just read, generated for your domain in under 60 seconds.

Fix your security headers before adding more tracking

Under Armour's F grade shows what happens when you skip security basics. LeadMaxxing's security scan checks all 6 standard headers and tells you exactly what to add — CSP, X-Frame-Options, Referrer-Policy, and more.

Map your pre-consent vs post-consent scripts

Under Armour uses OneTrust to gate tracking for EU visitors. LeadMaxxing's compliance audit maps your pre-consent vs post-consent script loading — so you know exactly what's at risk before a GDPR regulator does.

Benchmark your tracking against competitors

Under Armour runs ~58% above the cookie average. LeadMaxxing's competitive reports show you how your tracking compares to direct competitors — cookie counts, pixel coverage, consent implementation, and security posture.

Supercharge Your Leads with LeadMaxxing

Get a free LeadMaxxing account and start supercharging your leads. Start free →

Free — No credit card required

Get This Analysis For Your Brand FREE
When You Create A Free LeadMaxxing Account

Create a free LeadMaxxing account and we'll generate a full competitive analysis for YOUR brand. The same intelligence you just read — comparison with competitors, actionable strategies, and AI-powered recommendations.

Auto-generated brand report Competitor comparison Strategy recommendations AI-powered insights Free LeadMaxxing account to supercharge your leads
Get Free Report + Account → Free plan includes visitor tracking, lead scoring, and AI chat. Paid plan $29/month for full access.

More Under Armour Intelligence

Tracking Audits for Similar Brands

Frequently Asked Questions

How many cookies does Under Armour's website set?
Under Armour's website sets an estimated 38 cookies on a single page load. By category: approximately 14 advertising cookies (37%) from platforms like Meta, Google Ads, Pinterest, and Criteo; 10 analytics cookies (26%) from GA4 and related services; 6 functional cookies (16%); 4 strictly necessary cookies (11%) including OneTrust consent management; and 4 personalization cookies (11%). The longest-lived cookies include Google Analytics _ga (2 years) and Criteo cto_bundle (13 months).
Does Under Armour use Google Tag Manager?
Yes, Under Armour uses Google Tag Manager (GTM) as their primary tag orchestration system. GTM manages the deployment of GA4, Google Ads conversion tracking, and coordinates with other tracking pixels. GTM loads early in the page lifecycle and evaluates consent state to determine which tags fire based on OneTrust consent preferences.
What consent management platform does Under Armour use?
Under Armour uses OneTrust (detected via cdn.cookielaw.org), an enterprise-tier consent management platform also used by Nike, Adidas, and Target. OneTrust auto-categorizes cookies and displays geolocation-based consent banners — EU visitors see a GDPR-compliant opt-in banner with Accept All, Reject All, and Cookie Settings options, while US visitors typically see tracking fire by default with CCPA-compliant opt-out rights.
Has Under Armour had any data breaches?
Under Armour has suffered two major data breaches. In February 2018, the MyFitnessPal breach exposed approximately 150 million user accounts including usernames, email addresses, and hashed passwords (reported by CNBC, March 2018). In November 2025, the Everest ransomware group breached Under Armour's systems, exposing 343 GB of data including personal information of 72.7 million people — names, email addresses, dates of birth, genders, and geographic locations (confirmed by Have I Been Pwned).
What tracking pixels does Under Armour use?
Under Armour runs at least 8 confirmed tracking pixels: Google Analytics 4, Meta Pixel (Facebook/Instagram), Google Ads Conversion tag, Pinterest Tag, Criteo retargeting, Google DoubleClick, Bing Ads UET, and OneTrust consent management. Each fires PageView events on page load and tracks ecommerce events like AddToCart and Purchase for advertising optimization and attribution.
What is Under Armour's security header grade?
Under Armour scores an F on security headers, with only 1 of 6 standard security headers present. The site implements HSTS (Strict-Transport-Security with max-age=63072000) but lacks Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. This is notably poor for a $5.2 billion public company, especially one that has experienced two major data breaches totaling 222M+ records.
How does Under Armour's tracking compare to other ecommerce sites?
Under Armour's tracking footprint is moderately above the ecommerce average. With an estimated 38 cookies (vs. 24 average), 8+ tracking pixels (vs. 5 average), and approximately 25 external domains (vs. 22 average), their tracking is roughly 58% above average for cookies and 60% above for pixels. However, their security posture (F grade, 1/6 headers) is significantly below average, creating a concerning gap between data collection sophistication and data protection.
What CDN does Under Armour use?
Under Armour uses Fastly as their CDN provider, with DNS records showing a CNAME to n.sni.global.fastly.net and four A records (151.101.1.91, 151.101.65.91, 151.101.129.91, 151.101.193.91). Fastly provides edge caching, DDoS protection, and global content delivery. The HSTS header (max-age=63072000, approximately 2 years) enforces HTTPS connections, but the lack of other security headers like CSP means third-party scripts face fewer browser-level restrictions.

Sources & References

CNBC — MyFitnessPal Data Breach (2018) — Original reporting on the Under Armour MyFitnessPal data breach affecting 150 million user accounts.
cnbc.com
ClassAction.org — November 2025 Data Breach — Reporting on the Everest ransomware breach exposing 72.7 million customer records and 343 GB of data.
classaction.org
Under Armour Annual Reports (SEC Filings) — FY2025 10-K annual report confirming $5.2 billion in revenue and financial data.
about.underarmour.com
Google Analytics 4 Documentation — GA4 measurement protocol and consent mode documentation, the analytics foundation of Under Armour's tracking stack.
developers.google.com/analytics
OneTrust Cookie Consent Platform — Enterprise consent management platform detected on underarmour.com via cdn.cookielaw.org.
onetrust.com
CPO Magazine — 72M Records Exposed — Detailed analysis of the November 2025 Under Armour data breach scope and impact.
cpomagazine.com
Security Header & DNS Analysis — Security headers (F grade, 1/6 present) and DNS records (Fastly CDN) identified by scanning underarmour.com on March 20, 2026.
Compiled by LeadMaxxing — we track how brands build, test, and optimize their marketing so you can learn from the best.