On April 20, 2026, ADT detected unauthorized access to some of its cloud-based environments. The incident involved the theft of customer and prospective customer data, leading to an extortion attempt by the hacking group known as ShinyHunters. They got in by phone-scamming an ADT employee into handing over login credentials.

Key Details of the Incident

  • Data Accessed: ADT has confirmed that the stolen information is limited to customer names, phone numbers, and addresses. For a “small percentage” of affected individuals, dates of birth and the last four digits of Social Security or tax ID numbers were also involved.
  • What Was NOT Compromised: The company emphasizes that no payment information (such as credit card or bank account details) was accessed, and customer security systems remained unaffected and operational.
  • Discrepancy in Scope: There is a significant gap between the claims made by the attackers and those by ADT. ShinyHunters has claimed to have stolen over 10 million records. In contrast, the breach-tracking service Have I Been Pwned has listed the breach as exposing approximately 5.5 million unique email addresses.

ADT’s Response

  • Containment: ADT stated it immediately terminated the unauthorized access upon detection, activated its incident response plan, and engaged third-party cybersecurity experts.
  • Notification: The company has notified law enforcement and is directly contacting individuals whose data was affected.
  • Support: ADT is offering complimentary identity protection services to those impacted.

Context on the Attack

The ShinyHunters group is a well-known extortion gang that has targeted various organizations by using voice phishing (vishing) to compromise corporate single sign-on (SSO) accounts. Once inside, they typically extract data from connected SaaS applications—in this case, reportedly Salesforce—to use as leverage for ransom demands.

If you are concerned about your personal information, it is a good practice to monitor your accounts for any suspicious activity and utilize services like Have I Been Pwned to see if your email address has been included in reported breaches.

My recommendation – If you’re a customer, freeze your credit now (everyone should have already done this) and watch for phishing emails and texts.

Other cyber-criminal activity for this week – Citizens Bank also admitted to experiencing a cyber breach incident. The “Everest ransomware gang listed Citizens Bank on its Dark Web site on April 20th giving Citizens a six-day deadline to pay the ransom before publicly releasing stolen data.

  • The gang claims ~3.4 million Citizens Bank’s records from a SQL database dump, but the samples only contain full names, home addresses, account numbers, and internal document flags. No SSNs or TINs were found, limiting the damage mostly to scams and user profiling.
  • Citizens confirmed the breach originated from a third-party vendor, not from direct unauthorized access to their own networks

Sergeant Esterhaus of Hill Street Blues said it best ”Let’s be careful out there!”
https://www.youtube.com/watch?v=Jmg86CRBBtw

ADT on Government Info Security:
https://www.govinfosecurity.com/home-security-firm-adt-breach-55m-customers-data-exposed-a-31511

Have I Been Pwned:
https://haveibeenpwned.com/

Deliver David's Tech Talk to my inbox

We'll send David's weekly Tech Talk to your inbox - including the MP3 of the actual radio spot. You'll never miss a valuable tip again!