Skip to main content
Emerging ThreatsData Breaches

ADT Confirms Cyber Intrusion After ShinyHunters Extortion Attempt

Rows of server racks in a brightly-lit data center with equipment slightly askew, hinting at unauthorized access.

"The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made," ShinyHunters wrote in its dark‑web post. "They don't care."

ADT confirms "unauthorized access" on April 20 and isolates the intrusion

ADT said it detected "unauthorized access" on April 20, shut the activity down, engaged outside incident responders, and looped in law enforcement. In an 8‑K filing the company said attackers accessed "certain cloud‑based environments." ADT characterized the material taken as a "limited set" of data consisting of names, phone numbers and addresses, with a smaller subset that included dates of birth and the last four digits of Social Security or tax ID numbers. The company said no payment data was accessed and that customer security systems were not touched.

ShinyHunters posts a much larger claim on its dark‑web leak site

On its dark‑web leak site, a posting seen by The Register said the group had exfiltrated "over 10M Salesforce records containing PII and other internal corporate data" and threatened to publish the haul after negotiations with ADT failed. The Register reported the post and quoted ShinyHunters directly; the group framed its action as the result of an unsuccessful attempt to reach an agreement with ADT.

Conflicting tallies: ADT's "limited set," ShinyHunters' "over 10M," and Have I Been Pwned's 5.5M

There is a clear gap between the company's "limited set" and the criminal claim of "over 10M" records. The Register notes that companies tend to define incidents narrowly while criminal actors often inflate their results; the published record here includes a third data point. Have I Been Pwned has listed 5.5 million unique email addresses tied to the incident — a number the Register describes as "far nearer 'millions' than ADT's version of events."

Salesforce mention and "certain cloud‑based environments" point to a SaaS foothold

The ShinyHunters claim specifically names Salesforce, which the Register suggests hints at a SaaS foothold rather than an attack on on‑premises alarm panels. ADT has not provided a public, technical account of how the intruders gained access, and in its communications the company has not detailed the initial vector or the precise cloud resources affected beyond the wording in its 8‑K.

What this means for customers, state attorneys general, and security teams

  • Customers: ADT says customer security systems were not touched and no payment data was accessed, but the company acknowledged that names, phone numbers and addresses — and for a subset, dates of birth and last four digits of SSNs or tax IDs — may have been exposed. Customers will be watching for direct notifications and any identity‑protection offerings.
  • State attorneys general and regulators: The Register reports ADT has not yet answered questions about whether it has filed breach notifications with state attorneys general. Regulators monitoring notification timelines and statutory obligations will have to await ADT's formal disclosures.
  • Security teams and cloud administrators: The mention of "certain cloud‑based environments" and Salesforce as a possible vector will focus attention on SaaS access controls, privileged account use, and monitoring of cloud environments that integrate customer and corporate data.

For a company whose business promise is to keep intruders out, the episode exposes an awkward contrast between physical‑security branding and a digital breach. The facts in the public record so far are straightforward: ADT detected and stopped "unauthorized access" on April 20, has described the data taken as a "limited set," and has engaged responders and law enforcement; ShinyHunters claims a far larger haul and has posted on its leak site; Have I Been Pwned lists 5.5 million unique email addresses. ADT has not yet answered The Register's questions about the compromise path, the total number of affected people, the involvement of customers outside the U.S., or whether breach notifications to state attorneys general have been filed — and those outstanding answers will determine how big this incident ultimately looks on paper.

Original story