"The investigation confirmed that the information involved was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included," ADT told BleepingComputer.
Scope of the exposure: 5.5 million people, according to Have I Been Pwned
Data breach notification service Have I Been Pwned analyzed files that the extortion group ShinyHunters published and concluded the breach exposed the data of 5.5 million people. The records reportedly include unique email addresses, names, dates of birth, phone numbers, physical addresses, and partial government-issued IDs. Have I Been Pwned's tally follows ShinyHunters' claim of more than 10 million stolen records and ADT's confirmation that the intrusion was detected on April 20.
What ADT says was accessed — and what was not
ADT told BleepingComputer that its follow-up investigation found the intrusion was limited but did allow attackers to access some individuals' personal information. ADT emphasized that "no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way." ADT has not disclosed a company-wide total number of affected individuals.
ShinyHunters' claimed method: Okta SSO, vishing, and Salesforce
ShinyHunters told BleepingComputer the group breached ADT after compromising an employee's Okta single sign-on (SSO) account in a voice phishing (vishing) attack. Using that employee account, the attackers said they gained access to ADT's Salesforce instance and stole data. The group has repeatedly used vishing campaigns to target employees and Business Process Outsourcing (BPO) agents' SSO accounts for Microsoft Entra, Okta, and Google, then pulled data from connected SaaS apps.
ShinyHunters' pattern and the broader set of alleged victims
ShinyHunters has claimed responsibility for a string of recent intrusions and extortion attempts. The group said it leaked an 11GB archive of stolen ADT data on its dark web leak site after failing to extort the company. In recent weeks the group also claimed to have taken more than 9 million records from Medtronic and alleged breaches impacting the European Commission, Rockstar Games, McGraw Hill, 7-Eleven, Carnival, Zara, and Udemy. According to the group's stated modus operandi, after breaching corporate SSO accounts it exfiltrates data from SaaS platforms including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
What this means for ADT customers, security teams, and BPO agents
- ADT customers: ADT's statement limits the exposed fields to contact and identification details, and explicitly rules out payment data and compromise of customer security systems. Nevertheless, the presence of names, addresses, emails, phone numbers, and partial government IDs raises risks of targeted phishing, identity fraud, and nuisance contact for individuals whose information appears in the leaked archive.
- Security teams and technologists: The incident underscores the threat vector ShinyHunters has emphasized: social-engineering via vishing to capture SSO credentials and then leveraging connected SaaS environments such as Salesforce. Teams that manage SSO, SaaS permissions, and incident detection will be watching authentication logs, role-based access, and the connections between SSO accounts and high-value apps.
- BPO agents and other outsourced staff: ShinyHunters has specifically targeted employees and BPO agents' SSO accounts in prior campaigns. Organizations that rely on BPO firms or third-party contractors should scrutinize telephony-based attacks, SSO controls, and how vendor access maps to critical SaaS data stores.
ADT was founded in 1874 as American District Telegraph and currently provides monitored security and smart home solutions to over 6 million residential and small-business customers. The company has previously disclosed two other data breaches in August 2024 and October 2024 that exposed employee and customer information. In this latest episode the public record includes three converging elements: ShinyHunters' claim of a large-scale theft, ADT's confirmation that an April 20 intrusion allowed access to personal information for some individuals, and Have I Been Pwned's analysis counting 5.5 million exposed records.
The most immediate unanswered point in the published record is the gap between ShinyHunters' claim of more than 10 million records and Have I Been Pwned's 5.5 million figure; ADT has not published an aggregate count of affected individuals. Meanwhile the group has already published an 11GB archive on its leak site after failed extortion, making the raw material available for analysis and potential misuse.
For the full source reporting, see the original Bleeping Computer story: Home security giant ADT data breach affects 5.5 million people.
