ADT Breach Exposes 5.5 Million Accounts via Okta Vishing Attack

Context ADT provides electronic security and monitoring services to residential and small‑business customers. In April 2026 attackers used a voice phishing (vishing) call to trick an employee into revealing Okta credentials, granting access to the company’s Salesforce environment.

Key Facts - On April 20, 2026 ADT detected unauthorized cloud access, notified law enforcement, and hired third‑party investigators. - Approximately 5.5 million unique accounts were impacted; exposed data included names, emails, phone numbers, addresses, dates of birth, and the last four digits of Social Security or Tax IDs. - No payment card information or security‑system controls were accessed. - After failing to extort ADT, ShinyHunters published an 11 GB archive of the stolen data on a dark‑web forum. - The attack chain follows MITRE ATT&CK techniques T1566.002 (Voice Phishing) and T1078 (Valid Accounts) for initial access and credential use.

What It Means The exposed personal data enables identity‑theft and credential‑stuffing campaigns. Affected individuals face heightened risk of fraud, while ADT may incur regulatory scrutiny and potential class‑action liability. The leak also supplies threat actors with reusable data for future social‑engineering attempts.

Mitigations - Enforce phishing‑resistant MFA (e.g., FIDO2) for all privileged and remote access accounts. - Monitor Okta sign‑in logs for impossible travel, new device registrations, and atypical application launches; alert on patterns matching T1078. - Apply the principle of least privilege to Salesforce integrations and review API token expiration. - Deploy email and voice‑call authentication controls, and conduct regular vishing awareness training. - Refer to CISA Advisory AA23‑045A for Okta hardening guidance and update detection signatures for known ShinyHunters IOCs.

What to watch next Watch for follow‑on credential‑stuffing attacks leveraging the leaked data, any regulatory fines or settlements, and further dark‑web activity from ShinyHunters.