ShinyHunters Vishing Breach Hits ADT, 5.5M Records Exposed

ADT provides security systems to millions of homes and businesses. On April 20 its internal monitoring flagged unauthorized access to a limited set of customer and prospect data. The company immediately terminated the intrusion, launched a forensic investigation with third‑party experts and notified law enforcement.

- The breach exposed 5.5 million unique email addresses belonging to ADT customers. - Exposed fields included names, phone numbers, mailing addresses and, for a subset, Social Security or Tax ID numbers. - Payment card information was not compromised according to ADT’s statement. - ShinyHunters gained entry by compromising an employee’s Okta single‑sign‑on credential via a voice‑phishing (vishing) call. - The attackers then navigated the Okta SSO portal to reach the ADT Salesforce environment where customer records were stored. - This technique maps to MITRE ATT&CK T1566.002 (Voice Phishing).

The incident shows that even strong SSO platforms can be bypassed when attackers defeat the human factor with vishing. Organizations should enforce phishing‑resistant MFA, monitor Okta login anomalies, and restrict SSO access to least‑privilege roles. Defenders should also train staff to recognize unsolicited calls requesting credentials and implement call‑verification procedures. Watching for follow‑on activity, such as the appearance of the stolen data on underground markets or attempts to use the partial SSNs for identity fraud, will be critical in the coming weeks.