ADT Data Breach Exposes 5.5 Million Customers After ShinyHunters Okta Vishing Attack

Home security company ADT confirmed a data breach affecting 5.5 million customers after the ShinyHunters extortion group compromised an employee’s Okta single sign-on account through a voice phishing (vishing) attack, then pivoted into the company’s Salesforce CRM to extract customer records. ADT detected the intrusion on April 20, 2026. After the company declined to pay an extortion demand, ShinyHunters leaked an 11GB archive of the stolen data on the dark web. No home security systems, payment card data, or bank account information was compromised.

ADT Data Breach: What We Know So Far

Attack vector — Okta SSO vishing: ShinyHunters told BleepingComputer they gained initial access by calling an ADT employee and impersonating IT support, convincing the employee to reveal or hand over credentials for their Okta SSO account. With a valid SSO session, the attackers gained access to ADT’s Salesforce instance, which held customer records.

The Okta-via-vishing technique is a signature move for this threat actor group and was used in prior high-profile attacks, including the MGM Resorts and Caesars Entertainment breaches in 2023. The tactic exploits the human layer of multi-factor authentication: even well-configured MFA can be bypassed when an employee is social-engineered into completing or sharing an authentication step.

Data compromised:

According to ADT’s disclosure and analysis by Have I Been Pwned, the stolen dataset contains:

• Full names
• Email addresses
• Phone numbers
• Physical addresses
• In a “small percentage” of cases: dates of birth and the last four digits of Social Security numbers or Tax IDs

ADT confirmed that no payment information (bank accounts, credit cards) and no home security system data (access codes, camera feeds, monitoring details) was accessed. Customer security installations were not affected.

Timeline:

| Date | Event | |——|——-| | April 20, 2026 | ADT detects unauthorized access; incident response initiated | | Late April 2026 | ShinyHunters lists ADT on its leak site; demands ransom payment | | April 27, 2026 | ADT declines to pay; ShinyHunters publishes 11GB archive on dark web | | April 29, 2026 | BleepingComputer and Help Net Security report breach scope and impact |

The 11GB dataset is now publicly accessible on ShinyHunters’ dark web leak site, meaning the data has moved from targeted extortion to broad exposure. Any downstream threat actor can access it for credential stuffing, spear-phishing, or social engineering targeting ADT customers.

Scope confirmation via Have I Been Pwned: Troy Hunt’s Have I Been Pwned service has ingested the dataset and created a breach entry. ADT customers can check exposure at haveibeenpwned.com.

Why the ADT Data Breach Matters

The vishing-via-SSO playbook is proliferating. ShinyHunters and its affiliated clusters have used this technique repeatedly against large enterprises. Okta’s position as a central SSO broker means a single compromised account — obtained with no technical exploit, just a phone call — can provide access to dozens or hundreds of downstream SaaS applications. Organizations relying on Okta should review their identity help desk procedures for social engineering resistance.

5.5 million records is a meaningful identity theft dataset. Names, addresses, phone numbers, and partial SSNs create a viable package for account takeover, SIM swap attacks, and targeted phishing. ADT’s customer base skews toward homeowners and businesses with physical security concerns — attackers who know someone uses ADT also know they likely have assets worth protecting.

The ransom refusal + public leak scenario is the new normal. ADT’s decision not to pay resulted in immediate public data release, consistent with ShinyHunters’ documented behavior. For affected individuals, this means the data is widely available rather than held by one extortion group. Credit monitoring and fraud alerts are more important than in a contained breach.

Salesforce as a breach target is increasingly common. Attackers are pivoting to CRM systems after gaining SSO access because CRMs aggregate high-value PII across large customer populations. Any organization with Salesforce accessible via SSO should audit session token validity, MFA step-up policies, and admin access controls.

ADT Data Breach: What You Should Do Now

For ADT customers:

• Check your exposure at Have I Been Pwned — haveibeenpwned.com/Breach/ADT. Enter your email address to confirm whether your record is in the dataset.
• Place a fraud alert or credit freeze with the three major credit bureaus (Equifax, Experian, TransUnion). Given that partial SSNs and dates of birth are in the dataset, this is warranted even before specific fraud appears.
• Watch for spear-phishing and vishing attempts. Attackers with your name, address, and phone number will construct convincing pretexts. Be skeptical of any inbound contact claiming to be from ADT or affiliated services.
• Change passwords on any accounts using the same email address, particularly if you reuse passwords. Credential stuffing campaigns against the exposed email list are likely.
• Ignore ADT imposters. Threat actors will run ADT-themed phishing campaigns against the exposed list. ADT will contact affected customers through its official channels — verify any contact by calling ADT’s official support line directly.

For security teams at other organizations:

• Audit your SSO identity help desk procedures. Implement caller verification protocols (callback to known numbers, manager confirmation, hardware token requirements) before any SSO credential resets or session unlocks.
• Review Salesforce access controls. Enforce IP allowlisting, require step-up MFA for bulk data exports, and audit API access tokens for dormant integrations.
• Enable SSPM (SaaS Security Posture Management) if you use Okta + Salesforce or similar combinations. Detect excessive data access and unusual export activity.

Detection and Verification Checklist

• ADT customers: Check HIBP and the HIBP notification service for breach confirmation.
• Organizations: Review Okta admin audit logs for unusual account unlocks, password resets, or MFA bypass events in the last 30 days.
• Salesforce: Check the Salesforce Event Monitoring log for bulk data export or unusual API calls. Review connected app permissions for recently added OAuth grants.
• Verify ADT’s breach disclosure against the company’s official newsroom before communicating internally or to customers.
• Next-source verification: BleepingComputer’s full report includes the Have I Been Pwned analysis and ShinyHunters’ statements.

> Featured image: Alt text should include “ADT data breach ShinyHunters”.

— Sources: BleepingComputer, Help Net Security, Have I Been Pwned