ADT Confirms Data Breach After ShinyHunters Leak Threat
5 min. read 
Published on
ADT has confirmed a data breach after detecting unauthorized access to certain cloud-based environments on April 20, 2026. The home security company said the exposed information involved a limited set of customer and prospective customer records, while payment data and home security systems were not affected.
The disclosure came after ShinyHunters claimed it had stolen more than 10 million ADT records and threatened to leak the data unless the company responded by April 27, 2026. ADT has not confirmed the attackers’ claimed record count.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
ADT said its investigation found that the information involved was limited mainly to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also included.
ADT says security systems were not compromised
ADT said no bank account or credit card information was accessed. The company also stressed that customer security systems were not affected or compromised in any way.
After discovering the intrusion, ADT said it terminated the unauthorized access, activated its incident response plan, launched an investigation, hired third-party cybersecurity experts, and notified law enforcement.
The company also said it directly notified impacted individuals and will provide complimentary identity protection services where appropriate. ADT said it does not expect the incident to have a material impact on its financial condition or operations.
ShinyHunters claims Okta and Salesforce access
ShinyHunters told BleepingComputer that the breach allegedly started with a voice phishing attack that compromised an employee’s Okta single sign-on account. The group claimed it then used that access to steal data from ADT’s Salesforce instance.
Voice phishing, also known as vishing, relies on phone calls or live social engineering to trick employees into approving access, sharing credentials, or enrolling attacker-controlled authentication factors.
The alleged attack path fits a broader pattern seen in recent ShinyHunters-linked activity, where threat actors focus on identity systems and cloud applications rather than traditional malware deployment.
| Detail | What is known |
|---|---|
| Company affected | ADT Inc. |
| Date detected | April 20, 2026 |
| Date disclosed | April 24, 2026 |
| Threat actor claim | ShinyHunters claimed more than 10 million records |
| Confirmed data types | Names, phone numbers, addresses |
| Limited additional data | Dates of birth, last four SSN or Tax ID digits |
| Payment data | ADT says it was not accessed |
| Home security systems | ADT says they were not affected |
| Claimed attack path | Vishing, Okta SSO compromise, Salesforce access |
Why the breach matters
ADT sells home security and smart home services, which makes customer trust central to its business. Even when alarm systems remain safe, exposed names, phone numbers, home addresses, and partial identity details can still create real risk for customers.
Attackers can use this kind of data for phishing, impersonation, fake support calls, identity fraud attempts, and targeted scams. Home addresses tied to security customers may also create extra concern, even when the technical security systems continue to work.
The incident also adds pressure on companies that rely on cloud platforms such as Okta and Salesforce. Strong passwords alone do not stop real-time social engineering attacks when employees approve fraudulent access during a live call.
ADT has faced earlier security incidents
This is not the first recent cybersecurity issue disclosed by ADT. In August 2024, the company confirmed that attackers accessed databases containing customer order information, including email addresses, phone numbers, and postal addresses.
In October 2024, ADT reported another incident involving unauthorized activity on its network. Reuters reported that the company said an actor used credentials obtained through a third-party business partner and accessed encrypted internal data related to employee user accounts.
The latest disclosure will likely renew scrutiny of ADT’s cloud access controls, employee authentication workflows, and monitoring for suspicious SaaS activity.
What ADT customers should do
ADT customers should stay alert for phishing calls, text messages, and emails that reference ADT accounts, home security services, billing, or identity protection. Attackers may use real customer details to make scams look more convincing.
Customers should also avoid sharing one-time passcodes, passwords, or account recovery information with anyone who calls unexpectedly. ADT customers can contact the company through official support channels if they receive suspicious messages.
Recommended steps include:
- Watch for phone calls claiming to be from ADT support.
- Avoid clicking links in unexpected ADT-related emails or texts.
- Change ADT account passwords if reused anywhere else.
- Enable multi-factor authentication where available.
- Review credit reports if Social Security or Tax ID data was involved.
- Use any identity protection services offered by ADT.
- Report suspicious ADT-themed messages to the company.
What companies can learn from the incident
The claimed attack path shows how one employee account can become a bridge into sensitive cloud data. Companies should treat SSO accounts, Salesforce access, and help desk workflows as high-value targets.
Security teams should train employees to reject phone-based authentication pressure and verify support requests through known internal channels. They should also monitor for unusual Salesforce exports, new API activity, mass record access, and abnormal Okta login behavior.
Controls such as phishing-resistant MFA, device trust, session monitoring, conditional access, and rapid token revocation can reduce the damage from vishing-led account compromise.
Summary
- ADT confirmed unauthorized access to cloud-based environments detected on April 20, 2026.
- ShinyHunters claimed it stole more than 10 million records and threatened to leak the data.
- ADT said exposed data included names, phone numbers, and addresses, with limited DOB and partial SSN or Tax ID data.
- ADT said payment information and home security systems were not affected.
- The claimed attack path involved vishing, Okta SSO compromise, and Salesforce data access.
FAQ
ADT confirmed unauthorized access to certain cloud-based environments. The company said a limited set of customer and prospective customer records was involved.
ADT said the exposed information mainly included names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also included.
ADT said customer security systems were not affected or compromised.
ADT said no payment information, including bank account or credit card data, was accessed.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages