ADT Confirms Limited Data Exposure After ShinyHunters Vishing Attack

ADT’s security team spotted the intrusion on April 20, triggered response protocols, terminated the session, launched a forensic investigation with third‑party experts, and notified law enforcement. The company says the breach was identified quickly and the scope was limited. ShinyHunters, a known cybercrime group, claims it stole over 10 million records via the vishing route, though ADT has not validated that figure.

- Attack vector: voice phishing (vishing) targeting an employee’s Okta SSO (MITRE ATT&CK T1566.002). - Compromised asset: Okta credentials used to pivot into ADT’s Salesforce environment. - Data exposed: names, phone numbers, addresses; in a small percentage of cases, dates of birth and the last four digits of SSNs or Tax IDs (per ADT statement). - Data not exposed: payment card details, bank account information, or any customer security‑system configurations. - ADT has notified all affected individuals and is offering complimentary identity‑protection services where appropriate.

The incident shows how social‑engineering can bypass technical controls by stealing valid credentials. Defenders should enforce phishing‑resistant multi‑factor authentication (e.g., FIDO2 or PKI‑based tokens) for privileged SSO accounts, monitor Okta sign‑in logs for impossible travel or anomalous authentication patterns (MITRE ATT&CK T1078), and enforce least‑privilege access to Salesforce APIs. Regular employee vishing simulations and clear call‑verification procedures reduce the chance of successful voice‑phishing. Organizations should also review data‑retention policies to limit the amount of personal data stored in CRM systems.