ADT Confirms Data Breach After ShinyHunters Leak Threat

What happened

Home security company ADT has confirmed a data breach after the ShinyHunters extortion group listed the company on its data leak site on April 24, 2026, threatening to publish stolen data unless a ransom is paid by April 27.

ADT said it detected unauthorized access to customer and prospective customer data on April 20, terminated the intrusion, and launched an investigation. The company confirmed that names, phone numbers, and addresses were stolen, with dates of birth and the last four digits of Social Security numbers or Tax IDs exposed in a small percentage of cases. ADT stated that no payment information was accessed and that customer security systems were not affected. The company said it has contacted all affected individuals but did not confirm or deny the volume claimed by ShinyHunters, who assert they stole over 10 million records.

ShinyHunters told BleepingComputer the breach was initiated through a vishing attack that compromised an employee’s Okta SSO account. Using that access, the group claims to have extracted data from ADT’s Salesforce instance. ShinyHunters has been running widespread vishing campaigns since last year targeting employees’ Microsoft Entra, Okta, and Google SSO accounts, then pivoting to connected SaaS platforms including Salesforce, Microsoft 365, Slack, Zendesk, and others to steal data for extortion.

This is the third ADT data breach disclosure in under a year, following incidents in August and October 2024 that exposed customer and employee information.

Who is affected

ADT customers and prospective customers whose personal information was stored in the accessed systems are directly affected. The company has not confirmed the total number of affected individuals, leaving a significant gap between its characterization of a limited intrusion and ShinyHunters’ claim of 10 million records.

Why CISOs should care

A single compromised Okta SSO account providing access to Salesforce data at a company the size of ADT is a clean illustration of how much blast radius a single identity compromise can carry. ShinyHunters has refined this playbook across multiple campaigns: vish an employee, own the SSO account, pivot to every connected SaaS application, exfiltrate, and extort. The technique does not require exploiting a technical vulnerability in the target’s infrastructure. It requires a convincing phone call.

ADT’s third breach in under a year also raises questions about whether identity and access controls have been adequately hardened between incidents. For security leaders, the pattern here is more instructive than any single data point.

3 practical actions

1. Implement phishing-resistant MFA on all SSO accounts, particularly Okta, Entra, and Google Workspace: Vishing attacks that compromise SSO accounts succeed when MFA can be bypassed or socially engineered. FIDO2 hardware keys and passkeys resist the real-time phishing and vishing techniques ShinyHunters uses, while TOTP codes do not.
2. Audit SaaS application access granted through SSO and apply least-privilege scoping: A single compromised SSO account should not provide unrestricted access to Salesforce, Slack, Zendesk, and other platforms simultaneously. Review OAuth scopes and session permissions to ensure that SSO compromise does not automatically translate to broad SaaS data access.
3. Train employees to recognize and report vishing attempts targeting corporate credentials: ShinyHunters’ campaign relies on employees being convinced over the phone to provide credentials or approve MFA requests. Anti-vishing training, clear escalation procedures for suspicious calls claiming to be IT or vendors, and a culture of verification before action are the primary defenses against this entry vector.

Also in the news today:

• Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data
• Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks
• Firestarter Malware Survives Cisco Firewall Updates and Security Patches
• Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite
• Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare
• NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software
• Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions