ADT Confirms Data Breach After ShinyHunters Leak Threat
None
<h3 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">What happened</h3><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Home security company ADT has confirmed a data breach after the ShinyHunters extortion group listed the company on its data leak site on April 24, 2026, threatening to publish stolen data unless a ransom is paid by April 27.</p><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">ADT said it detected unauthorized access to customer and prospective customer data on April 20, terminated the intrusion, and launched an investigation. The company confirmed that names, phone numbers, and addresses were stolen, with dates of birth and the last four digits of Social Security numbers or Tax IDs exposed in a small percentage of cases. ADT stated that no payment information was accessed and that customer security systems were not affected. The company said it has contacted all affected individuals but did not confirm or deny the volume claimed by ShinyHunters, who assert they stole over 10 million records.</p><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">ShinyHunters told BleepingComputer the breach was initiated through a vishing attack that compromised an employee’s Okta SSO account. Using that access, the group claims to have extracted data from ADT’s Salesforce instance. ShinyHunters has been running widespread vishing campaigns since last year targeting employees’ Microsoft Entra, Okta, and Google SSO accounts, then pivoting to connected SaaS platforms including Salesforce, Microsoft 365, Slack, Zendesk, and others to steal data for extortion.</p><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">This is the third ADT data breach disclosure in under a year, following incidents in August and October 2024 that exposed customer and employee information.</p><h3 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">Who is affected</h3><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">ADT customers and prospective customers whose personal information was stored in the accessed systems are directly affected. The company has not confirmed the total number of affected individuals, leaving a significant gap between its characterization of a limited intrusion and ShinyHunters’ claim of 10 million records.</p><h3 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">Why CISOs should care</h3><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">A single compromised Okta SSO account providing access to Salesforce data at a company the size of ADT is a clean illustration of how much blast radius a single identity compromise can carry. ShinyHunters has refined this playbook across multiple campaigns: vish an employee, own the SSO account, pivot to every connected SaaS application, exfiltrate, and extort. The technique does not require exploiting a technical vulnerability in the target’s infrastructure. It requires a convincing phone call.</p><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">ADT’s third breach in under a year also raises questions about whether identity and access controls have been adequately hardened between incidents. For security leaders, the pattern here is more instructive than any single data point.</p><h3 class="text-text-100 mt-3 -mb-1 text-[1.125rem] font-bold">3 practical actions</h3><ol class="[li_&]:mb-0 [li_&]:mt-1 [li_&]:gap-1 [&:not(:last-child)_ul]:pb-1 [&:not(:last-child)_ol]:pb-1 list-decimal flex flex-col gap-1 pl-8 mb-3"> <li class="whitespace-normal break-words pl-2"><strong>Implement phishing-resistant MFA on all SSO accounts, particularly Okta, Entra, and Google Workspace:</strong> Vishing attacks that compromise SSO accounts succeed when MFA can be bypassed or socially engineered. FIDO2 hardware keys and passkeys resist the real-time phishing and vishing techniques ShinyHunters uses, while TOTP codes do not.</li> <li class="whitespace-normal break-words pl-2"><strong>Audit SaaS application access granted through SSO and apply least-privilege scoping:</strong> A single compromised SSO account should not provide unrestricted access to Salesforce, Slack, Zendesk, and other platforms simultaneously. Review OAuth scopes and session permissions to ensure that SSO compromise does not automatically translate to broad SaaS data access.</li> <li class="whitespace-normal break-words pl-2"><strong>Train employees to recognize and report vishing attempts targeting corporate credentials:</strong> ShinyHunters’ campaign relies on employees being convinced over the phone to provide credentials or approve MFA requests. Anti-vishing training, clear escalation procedures for suspicious calls claiming to be IT or vendors, and a culture of verification before action are the primary defenses against this entry vector.</li> </ol><p>Also in the news today:</p><ul> <li><a href="https://cisowhisperer.com/trigona-ransomware-attacks-use-custom-exfiltration-tool-to-steal-data/">Trigona Ransomware Attacks Use Custom Exfiltration Tool to Steal Data</a></li> <li><a href="https://cisowhisperer.com/over-10000-zimbra-servers-vulnerable-to-ongoing-xss-attacks/">Over 10,000 Zimbra Servers Vulnerable to Ongoing XSS Attacks</a></li> <li><a href="https://cisowhisperer.com/firestarter-malware-survives-cisco-firewall-updates-and-security-patches/">Firestarter Malware Survives Cisco Firewall Updates and Security Patches</a></li> <li><a href="https://cisowhisperer.com/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware-suite/">Threat Actor Uses Microsoft Teams to Deploy New Snow Malware Suite</a></li> <li><a href="https://cisowhisperer.com/pentagon-grapples-with-securing-ai-as-it-moves-toward-autonomous-warfare/">Pentagon Grapples With Securing AI as It Moves Toward Autonomous Warfare</a></li> <li><a href="https://cisowhisperer.com/nasa-employees-duped-in-chinese-phishing-scheme-targeting-defense-software/">NASA Employees Duped in Chinese Phishing Scheme Targeting Defense Software</a></li> <li><a href="https://cisowhisperer.com/pre-stuxnet-sabotage-malware-fast16-linked-to-us-iran-cyber-tensions/">Pre-Stuxnet Sabotage Malware ‘Fast16’ Linked to US-Iran Cyber Tensions</a></li> </ul><p>The post <a rel="nofollow" href="https://cisowhisperer.com/adt-confirms-data-breach-after-shinyhunters-leak-threat/">ADT Confirms Data Breach After ShinyHunters Leak Threat</a> appeared first on <a rel="nofollow" href="https://cisowhisperer.com/">CISO Whisperer</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/adt-confirms-data-breach-after-shinyhunters-leak-threat/" data-a2a-title="ADT Confirms Data Breach After ShinyHunters Leak Threat"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fadt-confirms-data-breach-after-shinyhunters-leak-threat%2F&linkname=ADT%20Confirms%20Data%20Breach%20After%20ShinyHunters%20Leak%20Threat" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fadt-confirms-data-breach-after-shinyhunters-leak-threat%2F&linkname=ADT%20Confirms%20Data%20Breach%20After%20ShinyHunters%20Leak%20Threat" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fadt-confirms-data-breach-after-shinyhunters-leak-threat%2F&linkname=ADT%20Confirms%20Data%20Breach%20After%20ShinyHunters%20Leak%20Threat" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fadt-confirms-data-breach-after-shinyhunters-leak-threat%2F&linkname=ADT%20Confirms%20Data%20Breach%20After%20ShinyHunters%20Leak%20Threat" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fadt-confirms-data-breach-after-shinyhunters-leak-threat%2F&linkname=ADT%20Confirms%20Data%20Breach%20After%20ShinyHunters%20Leak%20Threat" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://cisowhisperer.com">CISO Whisperer</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Evan Rowe">Evan Rowe</a>. Read the original post at: <a href="https://cisowhisperer.com/adt-confirms-data-breach-after-shinyhunters-leak-threat/?utm_source=rss&utm_medium=rss&utm_campaign=adt-confirms-data-breach-after-shinyhunters-leak-threat">https://cisowhisperer.com/adt-confirms-data-breach-after-shinyhunters-leak-threat/?utm_source=rss&utm_medium=rss&utm_campaign=adt-confirms-data-breach-after-shinyhunters-leak-threat</a> </p>