Emerging ThreatsData Breaches

ADT Confirms Data Breach After ShinyHunters Extortion Threat

Analyst 207||Source: BleepingComputer
Blurred customer information sheet on a cluttered office desk with scattered papers and a pen.

"The investigation confirmed that the information involved was limited to names, phone numbers, and addresses," ADT told BleepingComputer.

ADT detected and halted the intrusion on April 20

ADT said it detected unauthorized access to customer and prospective customer data on April 20, terminated the intrusion, and launched an investigation. That probe determined that personal information was stolen, and ADT said it has contacted all affected individuals. In its statement to BleepingComputer, the company added that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included."

ADT also emphasized what it said was not taken or impacted: "Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way." The company did not confirm the volume of data theft claimed by the attackers.

ShinyHunters posted a 10 million-record extortion demand and set a deadline

The ADT incident appeared on the ShinyHunters data leak site, where the extortion group posted: "Over 10M records containing PII and other internal corporate data have been compromised. Pay or Leak." The listing included a demand and a deadline, warning: "This is a final warning to reach out by 27 Apr 2026 before we leak along with several annoying (digital) problems that'll come your way."

ADT has not confirmed the 10 million-record figure that ShinyHunters published on its leak site.

ShinyHunters alleges a vishing attack that compromised an Okta SSO account and Salesforce data

ShinyHunters told BleepingComputer the group allegedly gained access through a voice phishing (vishing) attack that compromised an employee’s Okta single sign-on (SSO) account. Using that account, the threat actors claimed they accessed and stole data from the company's Salesforce instance.

The group said this approach fits a broader pattern: since last year, ShinyHunters has been conducting widespread vishing campaigns that target employees and BPO agents' Microsoft Entra, Okta, and Google SSO accounts. After gaining SSO access, the group says it steals data from connected SaaS applications and uses the material to extort the company into paying a ransom or face a public leak.

ShinyHunters' SaaS targets and the extortion playbook

According to the group's description to BleepingComputer, once a corporate SSO account is compromised the attackers move to connected SaaS applications. ShinyHunters listed an array of targets they have accessed in other campaigns, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox, among others.

ShinyHunters framed the stolen data as both leverage for extortion and as material they will publish if demands are unmet.

What this means for technologists, affected customers, and threat actors

  • Technologists and security teams: teams will watch the April 27, 2026 deadline the extortion group set and examine whether the attacker publishes any data; investigators will also want to validate ADT's containment claims and the scope of SSO access to SaaS systems such as Salesforce.
  • Affected customers and prospective customers: ADT says it has notified individuals whose names, phone numbers, or addresses were stolen and that, in a small percentage of cases, dates of birth and last-four SSN or Tax ID digits were involved; ADT also stated no payment information or customer security systems were accessed.
  • Threat actors and corporate defenders: ShinyHunters' account of using vishing to compromise Okta SSO and then extracting data from connected SaaS services underlines the specific vector the extortion group claims to favor and the type of follow-on theft and pressure they allege they can apply.

ADT previously disclosed separate data breaches in August and October 2024 that exposed customer and employee information, and it faces an immediate test of its containment and notification process with the ShinyHunters claim and the April 27 deadline. Whether the extortion group publishes data or the company provides further detail on scope and affected records will be the concrete milestones that follow.

Original reporting: BleepingComputer: ADT confirms data breach after ShinyHunters leak threat

Customer DataData BreachEmerging ThreatsExtortionPersonal DataRansomwareShinyhuntersSupply ChainADTInformation Theft
Related Intelligence

Continue Reading

Laptop on a neutral surface with a blank screen displaying a soft gradient, in a clean and minimalist setting.

Google patches Chrome zero-day flaw under active exploitation

Google just released urgent updates to fix a high-severity Chrome flaw that's being actively exploited by hackers - the fifth zero-day vulnerability patched by the company this year. This latest bug, CVE-2026-11645, could let attackers run malicious code and access sensitive data in your browser.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit server room with a highlighted server in the foreground.

LiteLLM Flaw Exploited in Wild, Enables Unauthenticated RCE

A high-severity flaw in BerriAI's LiteLLM, known as CVE-2026-42271, has been actively exploited, allowing unauthenticated users to execute commands remotely. This critical vulnerability affects LiteLLM versions 1.74.2 to 1.83.7 and has been deemed a major security risk.

Analyst 207
Professional workspace with laptop, papers, and office supplies, blurred email inbox in background.

North Korea Targets Developers with 250 Fake Job Offers in Credential Heist

In a sneaky credential heist, hackers sent over 250 fake job offers to developers at nearly 100 US organizations, disguising phishing attempts as recruitment messages. The six-week scam targeted professionals in tech, education, and finance.

Analyst 207
Brightly-lit office setting with server room in background and blurred computer terminal hinting at third-party vendor…

SoFi Hong Kong Breach Exposes Customer Data at Third-Party Vendor

SoFi Hong Kong recently discovered a data breach at a third-party vendor that exposed customer information, with unauthorized access detected on April 30, 2026. The company's investigation is ongoing, but it confirmed the breach originated from a vendor, not its internal systems.

Analyst 207