ADT Data Breach Confirmed as ShinyHunters Demands Ransom

Home security company ADT has confirmed a data breach affecting customer and prospective customer records, after an extortion group threatened to publish stolen data unless a ransom was paid. The ADT data breach came to light on April 24, 2026, when ShinyHunters listed the company on their dark web leak site and set a hard deadline: pay up by April 27, or the data goes public. ADT, headquartered in Boca Raton, Florida, is one of the largest home and business security providers in the United States, serving millions of customers with alarm monitoring, smart home systems, and physical security services. The company reported the incident to the U.S. Securities and Exchange Commission via a Form 8-K filing the same day the listing appeared.

What ADT Says Was Taken

ADT detected unauthorized access to its systems on April 20 and moved quickly to terminate the intrusion. An internal investigation followed, and the company has since notified affected individuals directly.

According to ADT's own statement, the stolen data was limited to names, phone numbers, and addresses. In a small number of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also included. The company was explicit that no payment data was accessed. Bank account details, credit card numbers, and customer home security systems all remained intact.

ShinyHunters tells a different story on scale. The group claims to have stolen over 10 million records containing personal information and internal corporate data. ADT has not confirmed or denied that figure, leaving a notable gap between its characterization of a "limited" intrusion and the volume the attackers are claiming.

How the Attackers Got In

ShinyHunters says the breach started with a voice phishing attack, commonly known as vishing. The attacker called an ADT employee, impersonated IT support, and manipulated the target into handing over credentials for their Okta single sign-on account. With that account compromised, the group claims it moved laterally into ADT's Salesforce instance and began extracting data.

This is the same method ShinyHunters has used across aseries of high-profile attacks over the past year. The group has been running widespread vishing campaigns targeting employees at enterprise organizations, with a specific focus on SSO accounts across Microsoft Entra, Okta, and GoogleWorkspace. Once inside a single SSO account, the blast radius can be substantial. Connected SaaS platforms, including Salesforce, Microsoft 365, Slack, Zendesk, and Dropbox, all become accessible.

The attack requires no software exploit and no zero-day vulnerability. A convincing phone call is enough.

A Recurring Problem for ADT

What makes this incident particularly striking is that it is not ADT's first. The company disclosed two separate data breaches in 2024, one in August and another in October, both of which exposed customer and employee information.

Three confirmed breaches in under twelve months raises serious questions about whether meaningful changes were made to ADT's access control and identity security posture between incidents. ShinyHunters' method of entry in this latest attack, compromising an employee SSO account to reach a Salesforce environment, was already a well-documented threat by the time this breach occurred.

The company has said it activated its Incident Response Plan, engaged third-party forensic experts, and notified law enforcement. Affected individuals have been offered free identity protection services.

ShinyHunters' Expanding Target List

ShinyHunters is one of the most active data extortion groups operating today. The group's vishing-to-SSO campaign has claimed victims across multiple sectors over the past year. Previous targets include the European Commission, whose cloud infrastructure was breached in March 2026, and Rockstar Games, where attackers pivoted through a compromised third-party analytics vendor to reach the company's Snowflake data environment. In early 2026, the group also ran a broad campaign against misconfigured Salesforce Experience Cloud installations, scanning hundreds of organizations for insecure guest user configurations.

The pattern is consistent across all of these attacks: social engineer an employee, own the SSO account, move to every connected application, steal data, and extort.

What This Means for Affected Customers

For ADT customers whose data was included in this breach, the immediate risk is targeted social engineering. Names, phone numbers, and home addresses in the hands of a threat actor create a ready-made toolkit for follow-on phishing or vishing attempts. In cases where partial Social Security numbers were also exposed, the risk of identity fraud is elevated.

ADT customers who have received a notification should treat unsolicited calls or messages claiming to be from ADT, or any other company, with caution. Legitimate organizations do not request credentials or sensitive information over the phone unprompted.

The breach also carries a broader message for any organization relying on SSO as a primary authentication layer. Without phishing-resistant multi-factor authentication, a single convincing phone call can unlock an entire SaaS environment. ShinyHunters has demonstrated, repeatedly, that employees are a more reliable attack surface than software vulnerabilities.