CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ADT data breach attributed to ShinyHunters via vishing and Okta compromise

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Home security provider ADT detected and confirmed an intrusion on April 20, 2026, leading to the theft of customer and prospective customer data by the ShinyHunters extortion group. The attackers accessed ADT’s Salesforce instance after compromising an employee’s Okta SSO account via voice phishing (vishing). Stolen data included names, phone numbers, addresses, and in a small subset of cases, dates of birth and partial Social Security or Tax ID numbers. No payment or authentication data was accessed, and ADT states customer security systems remained unaffected. ShinyHunters threatened to leak the data—claiming over 10 million records—unless a ransom is paid by April 27, 2026.

Timeline

  1. 25.04.2026 01:53 1 articles · 15h ago

    ADT intrusion confirmed with partial PII theft after ShinyHunters vishing and Okta compromise

    On April 20, 2026, ADT detected an intrusion after a vishing attack compromised an employee’s Okta SSO account, enabling ShinyHunters to access Salesforce and steal customer and prospective customer data. ADT’s investigation confirmed theft of names, phone numbers, addresses, and in some cases dates of birth and partial SSN/Tax ID numbers. ShinyHunters listed ADT on their leak site, claiming over 10 million records were stolen, and demanded payment by April 27, 2026.

    Show sources
    Open in new tab

Information Snippets

  • ADT detected unauthorized access to customer and prospective customer data on April 20, 2026, and subsequently terminated the intrusion and initiated an investigation.

    First reported: 25.04.2026 01:53
    1 source, 1 article
    Show sources

  • The investigation confirmed that compromised data was limited to names, phone numbers, and addresses; a small percentage of records also included dates of birth and the last four digits of Social Security numbers or Tax IDs.

    First reported: 25.04.2026 01:53
    1 source, 1 article
    Show sources

  • ADT reported that no payment information (e.g., bank accounts, credit cards) was accessed and that customer security systems were not compromised.

    First reported: 25.04.2026 01:53
    1 source, 1 article
    Show sources

  • ShinyHunters listed ADT on their leak site, claiming theft of over 10 million records containing PII and internal corporate data, and set a deadline of April 27, 2026, to pay or face public exposure.

    First reported: 25.04.2026 01:53
    1 source, 1 article
    Show sources

  • ShinyHunters reported using a voice phishing (vishing) attack to compromise an employee’s Okta SSO account, from which they accessed ADT’s Salesforce instance to exfiltrate data.

    First reported: 25.04.2026 01:53
    1 source, 1 article
    Show sources

  • The group has previously leveraged vishing campaigns targeting Microsoft Entra, Okta, and Google SSO accounts to gain access to SaaS applications such as Salesforce, Microsoft 365, and Google Workspace for data theft and extortion.

    First reported: 25.04.2026 01:53
    1 source, 1 article
    Show sources