ADT Confirms Breach Exposing Names and Phones After ShinyHunters Vishing Attack on Okta

TL;DR ADT confirmed a breach that exposed customer names, phone numbers and addresses after attackers used a vishing call to steal an employee’s Okta SSO credentials and accessed Salesforce data.

Context: On April 20 ADT detected unauthorized access to customer and prospect data, terminated the intrusion and launched an investigation. The company said the compromised information was limited to names, phone numbers and addresses, with a small subset also containing dates of birth or the last four digits of SSNs or Tax IDs. No payment data or security‑system controls were affected.

Key Facts: ShinyHunters posted a leak site claiming over 10 million records containing PII and internal corporate data were stolen, demanding payment or threatening publication. The group told BleepingComputer the entry point was a voice‑phishing (vishing) call that tricked an employee into revealing Okta SSO credentials. Using those credentials the attackers accessed the ADT Salesforce instance and exfiltrated data. This matches ShinyHunters’ recent campaign targeting Microsoft Entra, Okta and Google SSO accounts to pivot into SaaS apps such as Salesforce, Microsoft 365 and Google Workspace.

What It Means: The incident illustrates MITRE ATT&CK technique T1566.002 (Voice Phishing) leading to T1078 (Valid Accounts) and T1133 (External Remote Services) for SaaS access. Defenders should: enforce phishing‑resistant MFA for all SSO accounts, enable Okta adaptive MFA with risk‑based policies, monitor for impossible travel or anomalous login locations, restrict Salesforce API scopes to least privilege, and review SaaS app connector logs for unusual data exports. Deploy detection signatures for Okta event types such as user.session.start with atypical IP or device characteristics. Patch any known Okta misconfigurations (e.g., CVE‑2023‑XXXXX if applicable) and enforce session timeout policies.

Watch for follow‑up extortion attempts, potential resale of the stolen PII on underground markets, and any regulatory filings ADT may issue regarding breach notification timelines.