ADT and the ShinyHunters extortion group are at a standoff today, with attackers threatening to publish 10 million customer records unless the home security giant pays an undisclosed ransom before the April 27 deadline.
ADT confirmed the breach in a statement, saying it detected unauthorized access to customer and prospective customer data on April 20, terminated the intrusion, and launched an investigation. That investigation found names, phone numbers, and addresses were taken; in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were also stolen. ADT says no payment information and no customer security systems were compromised.
ShinyHunters posted ADT on its data leak site with a blunt message: “Over 10M records containing PII and other internal corporate data have been compromised. Pay or Leak.” ADT hasn’t confirmed the 10 million figure.
ShinyHunters told BleepingComputer they gained access through a vishing attack (voice phishing) that compromised an ADT employee’s Okta single sign-on account. From that account, the threat actors accessed ADT’s Salesforce instance and pulled the data. It’s the same playbook the group has run since last year: target employees’ Okta, Microsoft Entra, or Google SSO credentials, then drain connected SaaS platforms like Salesforce, Microsoft 365, and Slack.
ADT has disclosed two prior breaches, in August and October 2024, that exposed customer and employee data. The company says it has contacted all affected individuals.
The April 27 deadline is today.
— James Okafor