- ShinyHunters stole personal data of 5.5 million people from home security giant ADT and leaked it after extortion failed.
- The breach came through a voice phishing attack on an employee’s Okta SSO account, then pivoted into Salesforce.
- This is ADT’s third disclosed data breach in eight months—unusual for a company whose entire business is security.
ADT, the oldest and largest home security company in the United States, confirmed that the ShinyHunters extortion group stole the personal information of 5.5 million individuals after breaching its systems on April 20. The stolen data—names, phone numbers, physical addresses, and in a small percentage of cases, dates of birth and the last four digits of Social Security numbers—was published as an 11GB archive on ShinyHunters’ dark web leak site after ADT refused to pay the ransom.
ADT, founded in 1874 as American District Telegraph and currently serving over 6 million residential and small-business customers, said the intrusion was limited to customer and prospective customer data. No payment information—bank accounts or credit cards—was accessed, and the company says its monitored security systems were not affected. ADT has contacted all affected individuals, according to a statement shared with BleepingComputer.
The breach is ADT’s third disclosed security incident since August 2024, when the company first reported that employee data had been exposed. A second breach followed in October 2024. Three breaches in eight months is a troubling pattern for any company. For one whose brand identity is built on the promise of protecting what customers value most, it strains credulity.
How ShinyHunters Broke In—And Why It Worked
ShinyHunters told BleepingComputer they gained access through a voice phishing—vishing—attack that compromised an ADT employee’s Okta single sign-on account. Once inside, the attackers pivoted to the company’s Salesforce instance and exfiltrated customer records. The method is not exotic. It relies on a human attacker calling an employee, impersonating IT support, and convincing them to approve a login session in real time. The live phishing panel intercepts credentials and multi-factor authentication tokens as the victim is on the phone. ShinyHunters used a similar Snowflake-linked approach to breach Rockstar Games earlier this month.
New research from Silent Push, detailed by Industrial Cyber, describes the ShinyHunters operation as part of a predatory alliance called SLSH—combining Scattered Spider’s social engineering playbook with LAPSUS$’s extortion model. The group has targeted over 100 enterprises across technology, fintech, biotech, financial services, and healthcare. Affected organizations include Atlassian, Canva, HubSpot, Moderna, Amgen, and Zillow, among others. Rather than automated credential spraying, SLSH deploys human-led vishing that defeats even mature MFA defenses by intercepting tokens in real time.
After breaching a corporate SSO account, ShinyHunters systematically mines connected SaaS applications—Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Zendesk, and Dropbox—for data that can be used as leverage. ADT’s Salesforce instance was the jackpot here. Other recent ShinyHunters targets include Medtronic, the European Commission, Rockstar Games, McGraw Hill, 7-Eleven, Carnival, Zara, and Udemy. The group’s April 27 deadline for ADT to pay passed with no deal. The data went public.
A Security Company That Cannot Secure Itself
The irony of a home security company getting breached through an employee’s login is not lost on anyone paying attention. ADT’s own breach notification page lists at least two prior incidents in 2024, and the company has not publicly disclosed what changes it made after those earlier breaches to prevent a recurrence. The fact that a third breach succeeded through the same class of vulnerability—phished employee credentials—raises questions about whether ADT’s internal security investments match the scale of its customer-facing promises. It is the same class of credential-based attack that recently compromised Vercel through an AI coding tool.
Have I Been Pwned analyzed the leaked data and confirmed that 5.5 million unique email addresses were exposed alongside names, dates of birth, phone numbers, physical addresses, and partial government-issued IDs. While ADT emphasized that no payment data or security system credentials were compromised, the combination of names, addresses, phone numbers, and partial Social Security numbers is enough to fuel identity theft campaigns for years. The data is now permanently outside ADT’s control.
ADT said the intrusion was “limited”—a word choice that sits uncomfortably next to 5.5 million affected individuals. ShinyHunters originally claimed 10 million stolen records. The discrepancy may reflect the difference between total records and unique individuals, or it may mean ADT’s investigation has not yet captured the full scope. As reported by GovInfoSecurity, the attack was credited to the same ShinyHunters group that has claimed responsibility for recent breaches at Medtronic and other major corporations.
ADT detected the breach on April 20 and terminated the intrusion the same day. The company’s public statements since then have followed the standard incident response script: limited impact, no payment data, affected individuals contacted. What the statements do not address is why three separate breaches in eight months have all succeeded through credential-based attack vectors—and what, if anything, ADT plans to do differently before the fourth.
The 11GB archive of ADT customer data is now available on ShinyHunters’ dark web leak site.
