Home security giant ADT confirmed this week that hackers infiltrated its systems and stole customer data, after the prolific extortion group ShinyHunters listed the company on its data leak site and threatened to publish over 10 million stolen records unless a ransom is paid by April 27, 2026.
The Attack: Voice Phishing to Cloud Data Access
The breach began with a voice phishing (vishing) campaign — a technique ShinyHunters has weaponized consistently since 2025. An employee’s Okta single sign-on (SSO) account was compromised, granting the threat actors a foothold into ADT’s cloud infrastructure. From there, they accessed the company’s Salesforce CRM instance and exfiltrated customer records.
ADT detected the unauthorized access on April 20, 2026, and terminated the intrusion before launching an investigation. In a statement to BleepingComputer, the company confirmed the scope: “The information involved was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included.”
Critically, ADT says no payment information — including bank accounts or credit cards — was accessed, and that customer security systems were not compromised.
ShinyHunters’ Proven Enterprise Playbook
ShinyHunters is one of the most active extortion groups targeting enterprises in 2025–2026. Their vishing campaigns repeatedly bypass traditional perimeter controls by targeting the human layer. Once inside a corporate SSO account, the attackers move laterally through connected SaaS applications — Salesforce, Microsoft 365, Slack, Zendesk, Dropbox — to maximize the value of stolen data before issuing a ransom demand.
The group claims to have stolen “over 10M records containing PII and other internal corporate data” from ADT. Their dark web leak site reads: “Pay or Leak. This is a final warning to reach out by 27 Apr 2026 before we leak along with several annoying (digital) problems that’ll come your way.” ADT has not confirmed the claimed volume.
A Recurring Target
This is not ADT’s first encounter with threat actors. The company disclosed two separate breaches in 2024 — August and October — both exposing customer and employee data. Three confirmed breaches in under two years raises serious questions about the company’s resilience to social engineering on its identity infrastructure.
What Security Teams Should Take Away
The ADT incident follows the now-familiar pattern: vishing + SSO compromise = enterprise-wide SaaS data access. For defenders, it reinforces the case for phishing-resistant MFA (hardware keys or passkeys rather than TOTP), strict Okta admin session controls, and SaaS data loss prevention tooling.
With ShinyHunters maintaining a proven, repeatable playbook and enterprise SaaS footprints continuing to expand, vishing-driven SSO compromise remains one of the highest-probability attack vectors of 2026. ADT says it has contacted all affected individuals. (Sources: BleepingComputer, ADT newsroom, April 25, 2026)
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.