ADT says ShinyHunters data breach hit ADT, with ransom pressure underway

ADT has confirmed a data breach tied to the ShinyHunters extortion group. In a statement released today, the company said it detected unauthorized access affecting customer and prospective customer data on April 20, quickly shut down the intrusion, and launched an investigation. The assessment found that personal information was stolen, though ADT emphasized that the exposure was limited.

The company told BleepingComputer that the compromised data included names, phone numbers, and addresses. In a small subset of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were involved. Importantly, ADT said no payment information (such as bank accounts or credit cards) was accessed, and no customer security systems were affected.

ADT also noted that it has contacted all individuals believed to be affected.

A claim on the ShinyHunters data leak site

The breach is the latest in a string of incidents claimed by ShinyHunters, which listed on its data-leak portal that it had stolen more than 10 million records containing customers’ personal data. The page reportedly warned: “Over 10M records containing PII and other internal corporate data have been compromised. Pay or Leak,” and issued a deadline for contact by April 27, 2026.

ADT has not publicly confirmed the volume of data allegedly stolen by the attackers. ShinyHunters claimed the intrusion was carried out through a voice phishing (vishing) campaign that compromised an employee’s Okta single sign-on (SSO) account. Using that foothold, the group allegedly accessed and exfiltrated data from ADT’s Salesforce instance.

The extortion group has been known to run campaigns that target employees and BPO workers’ SSO accounts, including Microsoft Entra, Okta, and Google, then use access to exfiltrate data from connected SaaS apps like Salesforce, Microsoft 365, Google Workspace, and others. The stolen data is then used to pressure the company to pay a ransom or face leaks.

Context and previous incidents

ADT noted that it has previously disclosed data breaches in August and October 2024 that exposed customer and employee information. The latest incident underscores the continuing risk of SSO-based intrusions and the potential for attackers to pivot across connected cloud services to reach sensitive records.

What this means for customers

• Monitor your accounts for unusual activity and consider changing passwords for related services, especially those tied to Okta or other SSO providers.
• Be cautious of phishing attempts that use data from this breach to personalize messages.
• If you notice anything suspicious, report it to ADT and monitor your credit or identity protection services as appropriate.