ADT Breach Exposes 5.5 Million Customers After Vishing Attack

Home security giant ADT confirmed that attackers stole personal information belonging to 5.5 million customers after compromising an employee's Okta single sign-on account through voice phishing. The ShinyHunters extortion group claimed responsibility and leaked an 11GB data archive after failing to extract a ransom payment.

How the Attack Unfolded

ADT detected unauthorized access to customer data on April 20, 2026. According to ShinyHunters, the attackers used voice phishing—calling an employee and manipulating them into revealing their Okta credentials—to gain initial access. From there, they pivoted to ADT's Salesforce instance and exfiltrated millions of customer records.

This SSO-to-SaaS attack pattern has become ShinyHunters' signature move. The group used nearly identical vishing tactics against Vercel in April, targeting Okta credentials to breach downstream SaaS applications. They've also hit Canada Life Assurance using the same Salesforce exfiltration playbook.

What Data Was Exposed

Have I Been Pwned analyzed the stolen records and confirmed 5.5 million individuals were affected. The compromised data includes:

• Email addresses
• Full names
• Dates of birth
• Phone numbers
• Physical addresses
• Partial government-issued IDs (last four digits of SSNs/Tax IDs in some cases)

ADT stated that payment information—bank accounts and credit cards—was not accessed. Customer security systems and alarm monitoring were unaffected.

ShinyHunters' Escalating Campaign

ShinyHunters listed ADT on their dark web leak site on April 23, initially claiming to have stolen over 10 million Salesforce records. When ADT refused to pay, the group dumped the data publicly.

This follows a pattern of vishing attacks against Okta SSO environments that ShinyHunters has refined over the past year. The group specifically targets employees and Business Process Outsourcing (BPO) agents who handle SSO credentials for Microsoft Entra, Okta, and Google accounts.

The attackers have learned that compromising a single SSO account often grants access to dozens of connected SaaS applications. In ADT's case, that meant direct access to customer data stored in Salesforce without needing to breach ADT's core infrastructure.

Why This Matters

ADT's breach underscores a systemic risk: organizations that rely on SSO for SaaS access become single points of failure. Once an attacker controls an employee's identity provider credentials, they inherit that employee's access to every connected application.

For security teams managing social engineering defenses, this incident demonstrates that vishing attacks targeting help desk and BPO staff deserve the same attention as email phishing. Voice-based attacks bypass many technical controls and exploit the human tendency to trust callers who sound authoritative.

Organizations using Okta, Microsoft Entra, or similar identity providers should consider:

1. Hardware security keys for SSO authentication—not just app-based MFA that can be socially engineered
2. Call-back verification procedures for any request involving credential changes
3. BPO staff training specifically covering vishing scenarios targeting SSO accounts
4. Conditional access policies that restrict SaaS access based on device compliance and location

ADT's Response

ADT said it conducted a follow-up investigation to determine the breach's full scope. The company is notifying affected customers and has reset credentials for compromised accounts.

This marks ADT's third security incident in the past year, raising questions about the home security provider's own defenses. When the company protecting millions of homes can't protect its own customer data, the irony isn't lost on anyone paying attention.