ADT Inc.: ShinyHunters Vishing Attack

"ADT Inc. (NYSE: ADT), the largest home security provider in the United States, is facing a federal class action lawsuit after the ShinyHunters cybercriminal group allegedly exfiltrated personally identifiable…"

ADT Inc. (NYSE: ADT), the largest home security provider in the United States, is facing a federal class action lawsuit after the ShinyHunters cybercriminal group allegedly exfiltrated personally identifiable information belonging to approximately 5.5 million customers. The breach, disclosed to the SEC via an 8-K filing on April 24, 2026, occurred on or about April 20, 2026, and is now the subject of James v. ADT Inc., Case No. 9:26-cv-80546, filed in the U.S. District Court for the Southern District of Florida.

What Happened

On or about April 20, 2026, threat actors associated with ShinyHunters infiltrated ADT's cloud environment by socially engineering an employee out of their Okta single sign-on credentials. Once inside, the attackers pivoted to ADT's Salesforce tenant and exfiltrated a customer database containing roughly 5.5 million unique account records. ADT disclosed the incident to the U.S. Securities and Exchange Commission via Form 8-K on April 24, 2026, began notifying impacted individuals shortly thereafter, and offered complimentary identity protection services. Plaintiff Latonia James filed the class action in May 2026, represented by Lynch Carpenter LLP attorneys Nicholas A. Colella and Stephen E. Connolly, alleging the Boca Raton-based company failed to implement reasonable security controls against a foreseeable attack pattern.

What Was Taken

According to the complaint and corroborating data surfaced via Have I Been Pwned, the exfiltrated dataset includes:

Full names
Residential addresses
Phone numbers
Dates of birth
Last four digits of Social Security numbers
Tax identification numbers

The dataset covers current customers, former customers, and prospective customers who provided ADT with information during the sales process. With 5.5 million unique accounts confirmed, the breach ranks among the largest disclosed incidents in the U.S. residential security sector and represents a particularly sensitive corpus given the overlap between ADT's customer roster and physical premises that the company is contractually paid to protect.

Why It Matters

The strategic concern here extends well beyond standard identity fraud risk. ADT's customer base is, by definition, a list of homes and small businesses with alarm systems, the addresses of those premises, and the contact details of the residents. That intelligence is uniquely valuable to physical-intrusion actors, SIM-swap crews looking for high-net-worth targets, and social engineers building pretexts for follow-on fraud. The breach is also the latest data point in a pattern: ShinyHunters has spent 2025 and 2026 running an industrialized vishing campaign against Salesforce tenants belonging to Fortune 1000 enterprises, with confirmed victims spanning retail, hospitality, and now security services. The Okta-to-Salesforce pivot demonstrated here is now a repeatable playbook, not a novel exploit.

The Attack Technique

The complaint and public reporting attribute the intrusion to voice phishing (vishing) directed at an ADT employee with Salesforce access. The attacker placed a phone call impersonating IT or a trusted internal service, walked the employee through an Okta SSO authentication flow, and harvested live session credentials including any push or one-time password challenges. Once authenticated as the targeted user, ShinyHunters accessed the Salesforce environment and used the platform's native data export functionality, likely the Data Loader utility or REST API queries, to bulk-exfiltrate the customer object. This tradecraft matches the cluster of activity that Google's Threat Intelligence Group has tracked as UNC6040, and which has hit numerous Salesforce customers throughout the past year without requiring any vulnerability in Salesforce itself.

What Organizations Should Do

Audit Salesforce data export volumes. Enable and review Event Monitoring or Shield logs for unusually large REPORT_EXPORT, BULK_API, or Data Loader events from a single user session, and alert on outliers.
Enforce phishing-resistant MFA. Replace push and OTP factors with FIDO2 or hardware-bound passkeys for any account that can reach Salesforce, Okta admin consoles, or other CRM tenants holding PII.
Restrict connected apps and OAuth scopes. Inventory authorized connected apps in Salesforce, remove unused integrations, and require admin approval for any new OAuth grant. ShinyHunters has previously abused malicious connected apps to maintain access.
Implement IP allowlisting and session controls. Lock Salesforce logins and Data Loader usage to known corporate egress ranges or VPN exits, and shorten session timeouts for privileged users.
Run targeted vishing simulations. Train support, sales operations, and IT helpdesk staff specifically against scenarios involving callers requesting MFA approvals or password resets. Establish an out-of-band verification protocol for any inbound IT call.
Pre-stage breach response for CRM compromise. Assume that any Salesforce-resident customer database is a discrete crown jewel and rehearse the notification, SEC disclosure, and credit monitoring workflow before an incident, not after.

Sources: ADT Data Breach Class Action Lawsuit, ShinyHunters Stole 5.5 Million Records?