ADT has confirmed a new data breach, with the cybercrime group ShinyHunters claiming to have stolen over 10 million records. The company says attackers accessed a limited set of customer and prospective customer data on April 20.
ADT states the exposed data includes names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also compromised. Critically, no payment information or customer security systems were affected.
ShinyHunters told BleepingComputer they used a voice phishing attack (vishing) to compromise an employee's Okta single sign-on account, gaining access to ADT's Salesforce system. ADT has not confirmed this specific method but says its cybersecurity protocols detected and contained the intrusion quickly.
This is not ADT's first breach; the company disclosed incidents in August and October 2024. While no financial data or system control was compromised, the exposed personal information-names, addresses, and partial Social Security numbers-provides a powerful foundation for targeted scams and identity theft.
ADT says it has directly notified all impacted individuals and will offer complimentary identity protection services.