ShinyHunters Voice-Phishing Attack Exposes 5.5 Million ADT Customer Emails

ShinyHunters used voice phishing to steal an employee’s Okta SSO credentials and access ADT’s Salesforce account. The company detected unauthorized access to limited customer and prospective customer data on April 20 and immediately terminated the intrusion. This breach exposed 5.5 million unique email addresses, alongside names, phone numbers, addresses, and a minority of Social Security and Tax ID numbers.

The attackers leveraged compromised SSO credentials, a tactic cataloged in the MITRE ATT&CK framework as valid accounts, to pivot into the CRM environment. Voice phishing, or vishing, manipulates targets over the phone to bypass technical controls, and security provider Okta has warned of its rising prevalence. This pattern mirrors the SSO phishing used in the group’s recent Panera Bread breach.

What Defenders Should Do requires strict credential hygiene, enabled multi-factor authentication, and monitoring for anomalous SSO logins. Organizations should deploy anti-phishing training, conditional access policies, and detection signatures for unusual API activity in cloud services. What to watch next is whether this intrusion triggers regulatory scrutiny or class-action litigation.