ADT Confirms Unauthorized Access to Customer Data
Home security giant ADT has officially acknowledged a data breach after the notorious ShinyHunters extortion group threatened to publicly release stolen information unless a ransom was paid. According to a statement shared by ADT on April 24, 2026, the company detected unauthorized access to customer and prospective customer data on April 20, 2026. Upon discovery, ADT terminated the intrusion and initiated a formal investigation.
That investigation concluded that personal information had indeed been exfiltrated during the incident. In a statement provided to BleepingComputer, ADT described the scope of the stolen data:
"The investigation confirmed that the information involved was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included. Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way."
ADT also stated that the intrusion was limited in scope and that all affected individuals have been notified.
ShinyHunters Claims Over 10 Million Records Stolen
The confirmation comes in direct response to ADT's appearance on the ShinyHunters data leak site, where the attackers alleged they had obtained more than 10 million records containing customers' personally identifiable information (PII) along with internal corporate data.
The message posted on the leak site read: "Over 10M records containing PII and other internal corporate data have been compromised. Pay or Leak. This is a final warning to reach out by 27 Apr 2026 before we leak along with several annoying (digital) problems that'll come your way."
ADT did not confirm or deny the volume of stolen records claimed by the threat actors, stopping short of validating the 10 million figure cited on the leak site.
Vishing Attack Targeting Okta SSO Account
ShinyHunters provided BleepingComputer with details about their alleged method of intrusion. According to the group, they gained entry into ADT's systems through a voice phishing (vishing) attack that successfully compromised an employee's Okta single sign-on (SSO) account. Leveraging that access, the threat actors claimed they were then able to reach and exfiltrate data from the company's Salesforce instance.
A Broader Pattern of SSO-Targeted Extortion
The attack on ADT is consistent with a broader campaign that ShinyHunters has been conducting since at least 2025. The group has been systematically targeting employees and business process outsourcing (BPO) agents through vishing attacks designed to compromise accounts across major SSO platforms, including:
- Microsoft Entra
- Okta
- Google SSO
Once inside a corporate SSO account, the attackers pivot to connected Software-as-a-Service (SaaS) applications to harvest data. Platforms known to have been targeted in this campaign include Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and numerous others.
The stolen data is subsequently weaponized as leverage in extortion demands — pay up or face a public data leak.
ADT's History of Security Incidents
This is not ADT's first encounter with a data breach. The company previously disclosed two separate security incidents in August 2024 and October 2024, both of which resulted in the exposure of customer and employee information. The recurrence of incidents raises questions about the effectiveness of the company's data protection controls, particularly against social engineering vectors such as vishing.
What Affected Customers Should Do
Although ADT states that no financial account information was accessed and that home security systems remain unaffected, individuals whose names, phone numbers, addresses, dates of birth, or partial Social Security numbers may have been exposed should take the following precautions:
- Monitor credit reports for any unusual activity or unauthorized inquiries.
- Consider placing a credit freeze with major bureaus if partial Social Security numbers were among the compromised data.
- Be vigilant against follow-on phishing or vishing attempts that may use the stolen personal details as bait.
- Review any communications from ADT carefully, as the company has stated it is contacting all affected individuals directly.
As the April 27, 2026 deadline set by ShinyHunters approaches, the situation remains fluid. It is unclear whether ADT has engaged with the extortion group or whether the data will ultimately be released publicly.
Source: BleepingComputer