Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group listed the company on its leak site, claiming to hold over 10 million records of customer personal information. ADT detected unauthorized access on April 20, 2026, and says the attackers exfiltrated names, phone numbers, addresses, and in a small subset of cases, dates of birth and partial SSNs or Tax IDs. ShinyHunters has set a ransom deadline of April 27, 2026.

What Happened

ADT detected unauthorized access to customer and prospective customer data on April 20, 2026, terminated the intrusion, and launched an internal investigation. Within days, ShinyHunters listed ADT on its data leak site, posting a "Pay or Leak" ultimatum and threatening to publish the stolen data along with "several annoying (digital) problems" if no ransom is paid by April 27. ADT publicly confirmed the breach today but did not validate the 10 million record figure claimed by the attackers. This marks the third disclosed data exposure for ADT, following separate incidents in August and October 2024.

What Was Taken

ADT states the compromised data was limited to names, phone numbers, and physical addresses. In a small percentage of cases, the records also contained dates of birth and the last four digits of Social Security numbers or Tax IDs. The company emphasized that no payment information, bank accounts, or credit card data were accessed, and that customer security systems and alarm services were not impacted. ShinyHunters, however, claims the haul exceeds 10 million records and includes "internal corporate data" beyond what ADT has acknowledged. All affected individuals have reportedly been contacted.

Why It Matters

ADT serves millions of residential and small business customers across North America, making any leak a high-value targeting dataset for downstream fraud, SIM swapping, and physical reconnaissance. Even a "limited" set of names, addresses, and phone numbers, when correlated with home security customer status, creates a uniquely sensitive risk profile that could be abused for tailored social engineering or burglary scouting. The incident also reinforces that ShinyHunters' Salesforce-focused extortion campaign continues to compromise blue chip enterprises with mature security programs, and that SaaS-resident customer data remains the new center of gravity for breach impact.

The Attack Technique

ShinyHunters told BleepingComputer the breach began with a voice phishing (vishing) call that tricked an ADT employee into surrendering credentials for their Okta single sign-on account. Using that authenticated session, the attackers pivoted into ADT's connected Salesforce instance and exfiltrated customer records. This tradecraft mirrors a sustained ShinyHunters campaign running since 2024, in which the group targets employees and BPO agents at large enterprises to compromise Microsoft Entra, Okta, and Google SSO accounts. Once inside, they harvest data from federated SaaS platforms including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox before issuing extortion demands.

What Organizations Should Do

1. Enforce phishing resistant MFA (FIDO2 / hardware keys) on all SSO identity providers, eliminating push notifications and SMS codes that vishing operators routinely defeat.
2. Train help desks and frontline staff against vishing pretexts, including strict callback verification before any credential, MFA reset, or session related action.
3. Audit Salesforce and other SaaS tenants for unusual bulk export activity, third party connected app abuse, and Data Loader or Bulk API usage from anomalous IPs.
4. Apply least privilege and field level access controls on customer PII objects in Salesforce, ensuring no single user session can extract full customer databases.
5. Deploy SSPM tooling and identity threat detection to flag impossible travel, new OAuth grants, and Okta sign ins from residential proxies favored by ShinyHunters infrastructure.
6. Maintain a tested extortion response playbook, including legal, communications, and law enforcement coordination, given the group's tight public deadlines and leak site pressure tactics.

Sources: ADT confirms data breach after ShinyHunters leak threat