ADT Confirms Data Breach — ShinyHunters Expose 5.5 Million Customer Records via Okta Vishing Attack

What Happened

Home security giant ADT has confirmed a data breach affecting approximately 5.5 million customers, with the prolific ShinyHunters extortion group claiming responsibility. The attackers gained initial access by voice-phishing (vishing) an ADT employee and compromising their Okta single sign-on credentials, which gave them access to the company’s Salesforce instance.

ShinyHunters listed ADT on their data leak blog around April 24, 2026, and subsequently dumped an 11GB archive of stolen data after ADT reportedly refused to meet extortion demands. According to Have I Been Pwned, the breach exposed 5.5 million unique email addresses along with names, physical addresses, and phone numbers. A smaller subset of records also included dates of birth and partial Social Security numbers.

ADT says no payment information or security system data was compromised. The company has engaged forensic investigators, notified law enforcement, and will offer identity protection services to affected individuals. This marks at least the third breach disclosure for ADT, following incidents in August and October 2024.

Sources

• BleepingComputer — ADT Data Breach Affects 5.5 Million People
• BankInfoSecurity — ADT Breach Analysis
• Mashable — ADT ShinyHunters Breach

Why This Matters

ShinyHunters continues their absolute rampage through 2026. This group has now hit ADT, Amtrak, Carnival Corp, Medtronic, and dozens of others in just the past few weeks. The common thread? Social engineering of SSO credentials. Voice phishing bypasses MFA tokens and security keys because the attacker convinces a human to hand over access — no exploit needed.

For a home security company that literally sells “protection,” a breach of this scale is a brutal irony. But the bigger takeaway is that Okta-based SSO remains a prime target. Organizations need to invest in phishing-resistant authentication (hardware keys with attestation), employee security awareness training focused on vishing, and aggressive session monitoring on identity providers.