ADT Breach Exposes Names, Phones, Partial SSNs as ShinyHunters Claims 10M Records Stolen

Context ADT’s security team detected unauthorized access to a limited set of customer and prospective customer data on April 20. The company said its response protocols activated immediately, terminating the intrusion, launching a forensic investigation with third‑party experts and notifying law enforcement. ADT stressed that no payment card information, bank details or security‑system controls were compromised.

Key Facts - ShinyHunters told BleepingComputer it stole over 10 million records; ADT has not verified that figure but confirmed access to customer data. - Exposed data includes names, phone numbers, addresses and, for a small percentage of individuals, dates of birth and the last four digits of SSNs or Tax IDs. - ADT has notified all affected individuals and will provide free identity‑protection services. - The alleged attack vector is voice phishing (vishing) targeting an employee’s Okta single sign‑on account, which then allowed access to ADT’s Salesforce environment. - No financial data or security‑system functionality was accessed, according to ADT.

What It Means Even without full Social Security numbers, the combination of names, contact details and partial identifiers enables convincing social‑engineering scams. Attackers can use the data to impersonate ADT, reset accounts or harvest additional personal information. The incident highlights a growing trend where ransom‑and‑extortion groups focus on identity systems and employee credentials rather than direct infrastructure exploits.

Mitigations Organizations should enforce phishing‑resistant multi‑factor authentication for all privileged and SSO accounts, especially Okta and similar identity providers. Monitor authentication logs for impossible travel, unusual geographic logins or repeated failed attempts (MITRE ATT&CK T1078.004). Restrict Salesforce API access to least‑privilege roles and enable API anomaly detection (T1190). Conduct regular vishing awareness training and simulate voice‑phishing attempts to improve employee vigilance. Finally, maintain an up‑to‑date inventory of third‑party integrations and enforce strict data‑loss‑prevention rules on exported customer records.

Watch for further statements from ADT regarding the exact record count and any potential regulatory filings, as well as any follow‑up extortion demands from ShinyHunters.