ADT Confirms Customer Data Breach After ShinyHunters Extortion Claim
ADT disclosed that attackers gained unauthorized access to certain cloud-based environments and stole customer and prospective customer data, prompting the company to activate incident response measures, engage forensic specialists, notify law enforcement, and contact affected individuals. The exposed information included names, phone numbers, and home addresses, with dates of birth and the last four digits of Social Security numbers or Tax IDs affected in a smaller number of cases; ADT said payment information was not accessed and customer home security systems were not impacted.
The disclosure followed claims by the ShinyHunters extortion group that it had stolen more than 10 million records and internal corporate data and would leak the information if its demands were not met. Reporting tied the intrusion to a suspected vishing attack that allegedly compromised an employee's Okta single sign-on account and enabled access to ADT's Salesforce environment, matching a broader pattern in which the group targets enterprise SSO accounts and connected SaaS platforms to steal data for extortion.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters leaks 11GB of ADT data after failed extortion
After ADT reportedly refused the extortion demand, ShinyHunters published an 11GB archive of allegedly stolen ADT data on its dark web leak site. The leak marked an escalation from the group's earlier threat to release the data unless ADT made contact.
Reporting links ADT breach to Okta social engineering and Salesforce access
Independent reporting indicated the attackers may have socially engineered an ADT employee to gain access to the company’s Okta environment and then exfiltrated data from Salesforce. The reported intrusion path aligned with a broader ShinyHunters pattern of targeting single sign-on platforms and Salesforce-related data stores.
Have I Been Pwned lists 5.5 million emails from ADT breach
Independent reporting said Have I Been Pwned added 5.5 million unique email addresses linked to the ADT incident. The listing suggested the breach may be significantly larger than ADT's public description of the stolen data.
ADT offers identity protection to affected individuals
As part of its response, ADT directly notified impacted people and offered complimentary identity protection services where appropriate. The company said its investigation was ongoing and it did not believe the incident would materially affect business operations.
ADT files SEC disclosure confirming the breach
ADT disclosed the incident in an SEC Form 8-K filed on 2026-04-24, confirming unauthorized access and theft of limited customer and prospective customer data. The company said it had engaged third-party forensic experts, notified law enforcement, and begun notifying affected individuals.
ShinyHunters claims ADT breach and threatens data leak
On 2026-04-23, the ShinyHunters extortion group claimed on its leak site that it had stolen more than 10 million ADT records and internal corporate data. The group threatened to leak the data unless ADT made contact by 2026-04-27.
ADT investigates theft of customer and prospect data
Following the intrusion, ADT determined that customer and prospective customer personal information was stolen, primarily names, phone numbers, and addresses, with dates of birth and last four digits of Social Security numbers or Tax IDs exposed in a smaller number of cases. ADT said payment information was not accessed and customer security systems were not affected.
ADT detects and contains unauthorized access to cloud environments
ADT detected unauthorized access to certain cloud-based environments on 2026-04-20 and terminated the intrusion. The company activated its incident response plan and began investigating the breach.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
ADT Confirms Major Data Breach Exposing Millions of Names, Partial SSNs
techrepublic.com
Open sourceADT confirms data breach after ShinyHunters threatens data leak | brief | SC Media
scworld.com
Open sourceShinyHunters SSO-to-SaaS Campaign Confirms 5.5M ADT Records - Threat Campaign Analysis
techjacksolutions.com
Open sourceBurglar alarm biz gets burgled, ShinyHunters pursues ransom • The Register
go.theregister.com
Open sourceADT confirms data breach after ShinyHunters leak threat
bleepingcomputer.com
Open sourceADT says customer data stolen in cyber intrusion | The Record from Recorded Future News
therecord.media
Open sourceADT detects cybersecurity incident - ADT
newsroom.adt.com
Open sourceUnclassified
d18rn0p25nwr6d.cloudfront.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Large-Scale Data Theft From Dutch Telecom Odido
**ShinyHunters** has claimed responsibility for breaching Dutch telecommunications provider **Odido** (and brand **BEN**) and stealing a much larger dataset than the company initially indicated. Odido previously disclosed that attackers accessed its customer contact system and downloaded customer data, reporting the incident to the Dutch Data Protection Authority, cutting off attacker access, and bringing in external incident-response support. Odido said the exposed data varied by customer and could include identifiers and contact details such as name, address, mobile number, customer number, email address, **IBAN**, date of birth, and some ID details (e.g., passport/driver’s license numbers and validity), while stating that Mijn Odido passwords, call/location/data/billing details, and scans of identity documents were not exposed. ShinyHunters subsequently listed Odido on its leak site and alleged theft of **~21 million records** tied to **~8 million customers**, asserting Odido downplayed the scope. The gang’s claims also include highly sensitive elements—most notably **plaintext passwords**—and additional materials such as internal corporate documents and source code, which (if accurate) would materially increase risks of credential stuffing/account takeover, identity fraud, and follow-on intrusion. At the time of reporting, the expanded dataset details (including plaintext passwords and source code) were presented as **attacker claims** rather than independently confirmed by Odido.
Mar 26, 2026
Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
**Figure Technology Solutions**, a blockchain-based lending/fintech firm, confirmed a **data breach** after an employee was **socially engineered**, enabling attackers to access and exfiltrate a **limited number of files**. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering **free credit monitoring** to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected. The cybercrime group **ShinyHunters** claimed responsibility and alleged Figure refused to pay a ransom, publishing about **2.5GB** of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included **names, home addresses, dates of birth, and phone numbers**, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including **Harvard University** and **UPenn**, and referenced victims that rely on **Okta** for single sign-on.
Mar 21, 2026
ShinyHunters Extorts Charter and ZenBusiness After SaaS Account Breaches
Charter Communications confirmed a data breach after **ShinyHunters** threatened to leak allegedly stolen data, with the group claiming it accessed the company on April 1 through a voice-phishing attack that compromised an employee's Microsoft Entra account and opened a path into Charter's Salesforce environment. The attackers said they stole **40 million customer records**, including names, contact details, plan information, support ticket data, and some customer proprietary network information, while Charter said it notified authorities and, based on the data published, no sensitive personal information or CPNI was exfiltrated. The Charter incident follows a broader ShinyHunters extortion campaign targeting enterprise single sign-on accounts and connected SaaS platforms, especially **Salesforce**. In a separate case, the group claimed it stole several terabytes of data from **ZenBusiness** via platforms including Salesforce, Snowflake, and Mixpanel, and threatened to publish the data unless the company responded. Reporting also linked the campaign to claims involving Ameriprise Financial, Infinite Campus, Bumble, Hinge, Match, OkCupid, Mercer Advisors, Beacon Pointe Advisors, and attacks affecting Instructure's Canvas platform, underscoring a repeatable pattern of social engineering, SaaS data theft, and leak-site extortion.
May 30, 2026