Executive Summary
On April 24, 2026, ADT, a leading home security provider, confirmed a data breach following an extortion threat by the ShinyHunters group. The breach was detected on April 20, 2026, when unauthorized access to customer and prospective customer data was identified. ADT immediately terminated the intrusion, initiated a forensic investigation with third-party cybersecurity experts, and notified law enforcement. The investigation determined that the compromised data included names, phone numbers, and addresses, with a small percentage of records also containing dates of birth and the last four digits of Social Security numbers or Tax IDs. Critically, no payment information or customer security system data was accessed or affected. The attack was reportedly executed via a voice phishing (vishing) campaign that compromised an employee’s Okta single sign-on (SSO) credentials, enabling access to the company’s Salesforce instance. ADT has contacted all affected individuals and is offering identity protection services as appropriate. The incident underscores the persistent threat posed by social engineering attacks targeting SSO credentials and highlights the importance of robust identity and access management controls. All information in this summary is directly supported by the cited sources below.
Technical Information
The breach of ADT’s systems was executed through a sophisticated social engineering attack, specifically a vishing campaign. Vishing, or voice phishing, is a technique where attackers impersonate trusted parties over the phone to deceive employees into revealing sensitive credentials. In this incident, the attacker targeted an ADT employee and successfully obtained their Okta SSO credentials. Okta is a widely used identity and access management platform that enables single sign-on to multiple corporate applications.
Once the attacker acquired valid Okta SSO credentials, they leveraged these to access ADT’s Salesforce instance. Salesforce is a cloud-based customer relationship management (CRM) platform that often contains extensive customer and prospect data. The attacker exfiltrated data from Salesforce, including names, phone numbers, and addresses of customers and prospective customers. In a small subset of cases, additional data such as dates of birth and the last four digits of Social Security numbers or Tax IDs were also accessed. There is no evidence that payment information, such as bank account or credit card numbers, or data related to customer security systems, was compromised.
The attack did not involve the deployment of malware or ransomware. Instead, it relied entirely on social engineering and credential abuse. The ShinyHunters group, known for targeting organizations through similar methods, claimed responsibility for the breach and threatened to leak the stolen data unless a ransom was paid. The group posted a message on their data leak site, asserting that over 10 million records had been compromised and setting a deadline for ransom payment.
ADT’s response protocols were activated immediately upon detection of the unauthorized access. The company terminated the intrusion, launched a forensic investigation with external cybersecurity experts, and notified law enforcement. All impacted individuals were directly notified, and ADT is offering complimentary identity protection services where appropriate.
The technical chain of the attack can be mapped to the MITRE ATT&CK framework as follows: initial access was gained through vishing (T1566.002), valid account credentials were abused (T1078), cloud accounts were accessed (T1078.004), data was exfiltrated from a cloud service (T1537), and the stolen data was used for extortion (T1657). No evidence of lateral movement beyond Salesforce or the use of malware was found.
The ShinyHunters group has a documented history of targeting organizations through vishing campaigns, particularly those using SSO solutions such as Okta, Microsoft Entra, and Google SSO. After obtaining access, they typically exfiltrate data from SaaS platforms including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox. The group’s activities are characterized by data theft followed by extortion threats.
The evidence supporting these technical details is of high confidence, as it is based on direct statements from ADT, the threat actor, and corroborated by independent reporting from BleepingComputer and the official ADT newsroom.
Affected Versions & Timeline
The breach affected ADT’s customer and prospective customer data stored within its Salesforce instance, accessed via compromised Okta SSO credentials. The specific versions of Okta and Salesforce in use have not been disclosed, but the attack vector was not dependent on a software vulnerability; rather, it exploited human factors and credential management.
The verified timeline of events is as follows: On April 20, 2026, ADT detected unauthorized access to customer and prospective customer data. The same day, the intrusion was terminated, a forensic investigation was launched, and law enforcement was notified. On April 24, 2026, ADT publicly confirmed the breach and detailed the scope and types of data compromised. Also on April 24, 2026, ShinyHunters issued an extortion threat, claiming to have stolen 10 million records and setting a ransom deadline of April 27, 2026.
The compromised data included names, phone numbers, and addresses for the majority of affected individuals. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also accessed. No payment information or customer security system data was compromised.
Threat Activity
The ShinyHunters group is a well-known cybercriminal organization specializing in data theft and extortion. Since at least 2025, they have conducted widespread vishing campaigns targeting employees and business process outsourcing (BPO) agents with access to SSO accounts, including Okta, Microsoft Entra, and Google SSO. Their typical modus operandi involves using social engineering to obtain valid credentials, accessing cloud-based SaaS platforms, exfiltrating sensitive data, and then threatening to leak the data unless a ransom is paid.
In the ADT incident, ShinyHunters claimed responsibility and posted a message on their data leak site, stating that over 10 million records had been compromised. They threatened to leak the data and cause additional digital disruptions if their ransom demands were not met by April 27, 2026. ADT has not confirmed the volume of data claimed by the attackers but has acknowledged the breach and the types of data involved.
The group’s activities are characterized by a focus on organizations with large customer databases and valuable personally identifiable information (PII), particularly those using cloud-based SaaS platforms and SSO solutions. Their attacks do not typically involve malware or ransomware; instead, they rely on social engineering and credential abuse to gain access and exfiltrate data.
The evidence for these threat activities is of high confidence, based on direct statements from ShinyHunters, confirmation by ADT, and independent reporting by BleepingComputer.
Mitigation & Workarounds
The following mitigation strategies are prioritized by severity:
Critical: Organizations should implement robust multi-factor authentication (MFA) for all SSO accounts, especially those with access to sensitive data in cloud-based SaaS platforms such as Salesforce. MFA significantly reduces the risk of credential compromise through social engineering attacks.
High: Conduct regular and comprehensive security awareness training for all employees, with a focus on recognizing and reporting vishing and other social engineering attempts. Employees should be trained to verify the identity of callers requesting sensitive information or credentials.
High: Monitor and audit access to critical SaaS platforms and SSO accounts for unusual or unauthorized activity. Implement automated alerts for anomalous login attempts, especially from unfamiliar locations or devices.
Medium: Limit the scope of data accessible through SSO accounts by enforcing the principle of least privilege. Regularly review and update user permissions to ensure that employees only have access to the data necessary for their roles.
Medium: Establish and regularly test incident response protocols for data breaches involving cloud-based platforms and SSO solutions. Ensure that procedures for rapid detection, containment, investigation, and notification are in place and well understood.
Low: Offer identity protection services to affected individuals in the event of a data breach involving PII, as ADT has done in this incident.
There are no specific software patches or technical workarounds applicable to this incident, as the attack exploited human factors and credential management rather than a software vulnerability.
References
https://www.bleepingcomputer.com/news/security/adt-confirms-data-breach-after-shinyhunters-leak-threat/ (April 24, 2026)
https://newsroom.adt.com/corporate-news/adt-detects-cybersecurity-incident (April 24, 2026)
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and partners. Our platform enables continuous monitoring of vendor security posture, supports rapid incident response coordination, and facilitates evidence-based risk assessments for cloud-based and SaaS environments. For questions regarding this report or to discuss how our capabilities can support your organization’s risk management strategy, please contact us at ops@rescana.com.
