ADT Inc. has confirmed that the ShinyHunters extortion group gained unauthorized access to its cloud-based systems on April 20, 2026. With claims of theft of over 10 million customer records Okta SSO account compromise from a vishing attack, Salesforce data exfiltration and a Pay or Leak deadline of April 27 this is ADTs third major breach in just 2 years.
America largest home security company ADT Inc. has once again fallen victim to a data breach and this time it was not a simple hack but a calculated extortion operation. ADT confirmed on April 24, 2026, that it detected suspicious activity in its systems on April 20 after which the company immediately terminated the intrusion and engaged external cybersecurity experts for a forensic investigation and notified law enforcement.
The disclosure was officially made public through a Form 8-K filing submitted to the U.S. Securities and Exchange Commission which confirms the incident was materially significant to the company. ADT told BleepingComputer that the compromised information was limited to names, phone numbers and addresses and in a small percentage of cases dates of birth and the last four digits of Social Security numbers. The company confirmed that no payment information was accessed and that customer home security systems are completely secure.
But ShinyHunters claims differ significantly from ADTs. ShinyHunters posted a listing on its dark web leak site in which the group claimed to have compromised more than 10 million PII and internal corporate data records and issued a dangerous final warning that they must contact them by April 27, 2026 or the data will be publicly leaked and accompanied by several annoying digital problems.
This is classic double extortion first steal the data then demand ransom and if you don’t pay then publicly shame you.
One Vishing Call Millions of Records Exposed
ShinyHunters told BleepingComputer that they entered ADT through a voice phishing attack, compromised an employees Okta single sign-on (SSO) account and then used that account to access and exfiltrate data from the company Salesforce instance.
This method sounds simple but in reality its a quite sophisticated. According to Obsidian Securitys detailed incident analysis, ShinyHunters consistent pattern is first compromise an Okta account and then establish persistence by making MFA changes then enumerate SSO-connected applications and then steal data at a mass scale. This technique also resembles the tradecraft of groups like Scattered Spider.
Okta Threat Intelligence confirmed that attackers used custom phishing kits that mimic legitimate authentication flows in real-time. When the victim talks on the phone and sees the fake login page the attacker simultaneously syncs MFA challenges and greatly reducing the probability that the victim will approve.
Mandiant CTO Charles Carmakal confirmed to Cybersecurity Dive that Mandiant is tracking a new ongoing ShinyHunters-branded campaign that is using evolved vishing techniques to successfully compromise SSO credentials from victim organizations and enroll threat actor-controlled devices in victim MFA solutions, and this activity is active and ongoing.
ShinyHunters campaign is not limited to ADT. SoundCloud, fintech firm Betterment and market intelligence company Crunchbase are also among the campaigns confirmed victims and the group also targeted more than 700 enterprise cloud environments in a Salesforce CRM data heist.
This is the third major incident for ADT in just two years. Customer order data in August 2024 encrypted employee data in October 2024 and now the claim of 10 million records in 2026 which raises the question as to why a security company is failing its own security so many times. The deadline is 27 April now all eyes are on ADT next move.
