Home security giant ADT Inc. has confirmed a significant data breach after the notorious threat group ShinyHunters claimed responsibility for stealing over 10 million records and issued a “Pay or Leak” ultimatum with an April 27, 2026 deadline.
The Breach: What Happened
ADT disclosed the incident via a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC) on April 24, 2026, stating that it became aware of unauthorized access to certain cloud-based environments on April 20, 2026. The filing came after ShinyHunters published a listing on their dark web data leak site, claiming to have compromised “over 10 million records containing PII and other internal corporate data.”
The threat group issued a direct warning to the company: “Reach out by 27 Apr 2026 before we leak, along with several annoying (digital) problems that’ll come your way.”
How the Attack Was Executed
ShinyHunters claims the breach was carried out through a voice phishing (vishing) attack that successfully compromised an employee’s Okta single sign-on (SSO) account. Using this foothold, the attackers allegedly accessed and exfiltrated data from ADT’s Salesforce instance. Impersonating IT support to manipulate employees into granting internal system access is a hallmark tactic of ShinyHunters’ operations — the same technique was used in several other high-profile breaches attributed to the group.
What Data Was Exposed
ADT’s own investigation determined that the exposed data was limited to customer and prospective customer records. The compromised information primarily included:
- Names, phone numbers, and home addresses
- In some cases, dates of birth
- In some cases, the last four digits of Social Security numbers or Tax IDs
ADT confirmed that no financial information — such as bank account or credit card data — was accessed, and that customer home security systems remained secure and fully operational. The company stated it has “directly notified all impacted individuals” and will provide complimentary identity protection services where necessary.
ADT’s Immediate Response
Upon detecting the intrusion, ADT took the following steps:
- Terminated the unauthorized access
- Activated its Incident Response Plan (IRP)
- Engaged third-party cybersecurity experts for a forensic investigation
- Notified law enforcement
ADT’s 8-K filing stressed that the company does not believe the incident is “reasonably likely to have a material impact” on its financial condition or ongoing business operations, though the full scope of the breach remains under assessment.
A Pattern of Breaches at ADT
This is not ADT’s first security incident. The company previously disclosed two separate breaches in August and October 2024, both of which exposed customer and employee information. The recurrence raises serious questions about ADT’s cloud security posture, SSO authentication hygiene, and overall incident resilience — particularly around how employee credentials are protected against social engineering.
Who Are ShinyHunters?
ShinyHunters is one of the most prolific cybercriminal groups operating today, linked to dozens of high-profile data breaches and extortion campaigns. Their use of vishing to bypass MFA-protected SSO platforms represents a dangerous evolution in social engineering. Other notable ShinyHunters victims in recent months include Vercel (via Context.ai supply chain breach) and Canada Life Assurance, where 5.6 million Salesforce records were threatened.
What Customers Should Do
If you are an ADT customer or prospect, consider taking the following immediate precautions:
- Monitor your credit reports and financial statements for unusual activity
- Enroll in ADT’s offered identity protection services if contacted by the company
- Be alert to phishing emails or calls referencing the breach that may use stolen data
- Consider placing a fraud alert or credit freeze with major credit bureaus if your partial SSN was exposed
- Change passwords on any accounts where you may have used similar credentials