ADT confirms data breach after extortion group threatens leak

Home security company ADT has confirmed a data breach after the ShinyHunters extortion group threatened to publish stolen data unless a ransom is paid. In a statement issued today, ADT said it detected un ADT told BleepingComputer that the exposed data was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included. The company emphasized that no payment information, including bank accounts or credit cards, was accessed, and that customer security systems were not affected or compromised. The confirmation follows the appearance of ADT on the ShinyHunters data leak site. The attackers claimed to have stolen more than 10 million records containing personal information and internal corporate data. The site listed a final warning to reach out ShinyHunters told BleepingComputer it allegedly breached ADT through a voice phishing attack that compromised an employee's Okta single sign-on account. Using that access, the threat actors claimed they stole data from the company's Salesforce instance. Since last year, the group has conducted widespread vishing campaigns targeting employee and business process outsourcing agent accounts across Microsoft Entra, Okta, and Google single sign-on platforms.