ADT Breach Exposes 5.5 Million Customers' Data After ShinyHunters Vishing Attack

TL;DR: ShinyHunters leaked an 11GB archive containing personal data of 5.5 million ADT customers after compromising an employee Okta account via voice phishing. ADT confirmed names, phone numbers, addresses, and partial government IDs were exposed, but payment systems and security services remained untouched.

Context ADT, the nation’s oldest home‑security provider, detected the intrusion on April 20 and launched an investigation. The attacker claimed to have stolen over 10 million records, but Have I Been Pwned’s analysis of the leaked archive fixed the count at 5.5 million unique individuals. The data appeared on ShinyHunters’ dark‑web leak site after extortion attempts failed.

Key Facts The breach began with a voice‑phishing (vishing) call that tricked an employee into revealing Okta credentials. Using those valid credentials (MITRE ATT&CK T1078), the group accessed the employee’s SSO session and pivoted to ADT’s Salesforce instance (T1190 – Exploit Public‑Facing Application). From Salesforce they extracted names, phone numbers, physical addresses, and, for a small subset, dates of birth and the last four digits of Social Security or Tax ID numbers. ADT stated no payment card data, bank details, or its alarm‑monitoring systems were accessed. The leaked archive totals 11 GB.

What It Means For customers, the exposed PII increases risk of identity theft and social‑engineering scams, though the lack of full SSNs or financial data limits direct fraud. For defenders, the incident highlights the need for phishing‑resistant MFA on SSO platforms, strict conditional access policies, and continuous monitoring of anomalous SaaS logins (e.g., impossible travel, atypical data exports). Recommended actions include enforcing FIDO2 or WebAuthn tokens for Okta, enabling session‑risk policies in Salesforce, and reviewing data‑loss‑prevention rules to flag large exports.

Watch for follow‑on credential‑stuffing campaigns using the leaked phone numbers and email addresses, and for any resale of the data on underground markets.