ADT Confirms Breach After ShinyHunters Vishing Hit Okta SSO, Salesforce Data Stolen

ADT detected unauthorized access to customer data on April 20 and has now confirmed the intrusion after ShinyHunters listed the company on its leak site claiming 10 million stolen records. ADT says the exposed data was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. No payment data was touched and customer security systems were not affected, according to the company.

ShinyHunters told BleepingComputer the entry point was a vishing call that compromised an employee’s Okta SSO account, which was then used to pivot into ADT’s Salesforce instance and exfiltrate records. The extortion group has set an April 27 deadline and threatened additional disruption if a ransom is not paid.

This fits a year-long ShinyHunters pattern of phone-based social engineering against Entra, Okta, and Google SSO accounts to reach connected SaaS platforms — Salesforce, Microsoft 365, Workspace, Slack, and others — turning identity provider credentials into a master key for downstream data theft. ADT has now disclosed three breaches inside roughly 18 months.