Home security company ADT has confirmed an ADT data breach that exposed the personal information of millions of customers across the United States. The attack started with a phone call. It ended with an 11GB archive of stolen data published on the dark web.
What Happened at ADT
ADT detected unauthorized access to its systems on April 20, 2026. The company moved quickly to shut down the intrusion and brought in third-party cybersecurity experts to investigate. It also notified law enforcement.
Attackers accessed customer and prospective customer records stored in ADT’s Salesforce environment. ADT confirmed that no payment data, bank account details, or credit card numbers were taken. Customer security systems were also left untouched.
For most affected individuals, the stolen data includes names, phone numbers, and home addresses. In a smaller number of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also exposed.
How the Attackers Got In
ShinyHunters did not exploit a software vulnerability to carry out this breach. Instead, the group used a voice phishing attack, commonly called vishing, to trick an ADT employee into handing over their Okta single sign-on credentials.
Vishing is a form of social engineering conducted over the phone. Criminals call employees while impersonating IT support staff. They build a convincing scenario, often claiming there is an urgent issue with the employee’s account, then guide the victim into sharing login details or approving authentication requests in real time.
Once ShinyHunters had those credentials, they moved into ADT’s connected Salesforce instance. From there, they pulled customer records at scale.
This method is not unique to ADT. ShinyHunters has been running coordinated vishing campaigns since at least late 2025, targeting employees at organizations that rely on single sign-on systems. Okta, Microsoft Entra, and Google SSO have all served as entry points. After gaining access to one account, the group pivots into connected SaaS platforms, including Salesforce, Microsoft 365, Google Workspace, Slack, Zendesk, and Dropbox.
The Scale of the Breach
ShinyHunters initially claimed to have stolen over 10 million records. When ADT declined to pay a ransom, the group published a compressed 11GB archive on their dark web leak site.
The breach-tracking service Have I Been Pwned analyzed the leaked data and identified 5.5 million unique email addresses. That figure covers a significant portion of ADT’s customer base. At the close of 2025, ADT reported approximately 6.1 million active security monitoring subscribers.
Have I Been Pwned also found that 71% of the exposed addresses were already in its database from previous breaches. So many of those affected now carry a longer history of exposed personal data across multiple incidents.
ADT has been contacting affected individuals directly and is offering complimentary identity protection services where appropriate.
ADT’s Third Breach in Under Two Years
This is not the first time ADT has dealt with a serious data security incident. In August 2024, a breach resulted in approximately 30,800 customer records being leaked on a hacking forum. Two months later, in October 2024, ADT disclosed another incident that exposed encrypted employee account data.
Three confirmed breaches in under two years is a significant pattern for a company whose core business is security.
ShinyHunters: A Threat That Keeps Scaling
The group behind this attack has become one of the most active extortion operations targeting large organizations. In the weeks around the ADT breach, ShinyHunters also claimed attacks against Medtronic, the European Commission, Rockstar Games, McGraw Hill, 7-Eleven, Carnival, Zara, and Udemy, among others.
Researchers at Google’s Mandiant, Sophos, and Silent Push are all actively tracking these campaigns. Analysts describe the operation as human-led and highly interactive. Unlike automated credential attacks, these vishing campaigns involve real people on live calls who adapt their approach in real time to convince victims to approve login requests or enter authentication codes.
The phishing kits behind these attacks are sold as a service. They mimic the exact authentication flows of major identity providers, so employees have little visual cue that something is wrong. Even organizations with multi-factor authentication have been hit, because the social engineering happens during an active call before the victim can pause and question it.
What This Means for Affected Customers
If you are an ADT customer, your home address, phone number, and email address may now circulate among criminal networks. In some cases, partial government ID numbers are also out there.
The most immediate risk is targeted phishing. Criminals holding this data can craft convincing emails or messages that appear to come from ADT or from other companies you use. So treat any unexpected communication asking you to confirm account details, click a link, or take urgent action with real skepticism.
You should also monitor your credit closely. If you are concerned about the exposure of your partial Social Security number, consider placing a fraud alert or credit freeze with the major bureaus.
Final Thoughts
The ADT data breach shows that even companies built around physical security can be undone by a single phone call. The attackers needed no technical exploit. They needed one employee, one convincing conversation, and one set of login credentials.
For customers, the damage is already done. But for organizations still relying on traditional MFA and employee awareness alone, this breach makes a strong case for phishing-resistant authentication, such as hardware security keys, and stricter verification procedures for any IT support interaction involving account credentials. Because when the attacker is on the phone, the window to stop them is very short.
