ADT
The company that watches your home just exposed where you live. Third breach in under a year.
What happened?
On April 20, 2026, ADT detected unauthorized access to customer data. ShinyHunters had compromised an employee's Okta single sign-on account through a voice phishing call, then used that access to exfiltrate data from ADT's Salesforce instance. When ADT refused to pay, ShinyHunters leaked an 11 GB archive on April 27.
What data was actually inside?
5.5 million unique email addresses. Full names, phone numbers, and home addresses. In a subset of records: dates of birth and the last four digits of Social Security numbers or Tax IDs.
ADT says no payment information was accessed. That's not the problem. The problem is 5.5 million verified home addresses—addresses that belong to people who pay for home security systems because they're concerned about physical safety.
Who gets hurt and how?
ADT customers chose to install security systems because they wanted protection. Now their home addresses are circulating on criminal forums alongside their names, phone numbers, and email addresses.
This isn't abstract identity theft risk. This is a list of verified residential addresses tied to people who demonstrably have something worth protecting. The data tells criminals exactly where to look and who lives there. For domestic abuse survivors, stalking victims, and anyone with safety concerns serious enough to warrant a security system, this exposure is the opposite of what they paid for.
What did they think they were doing right?
ADT emphasized that "customer security systems were not affected or compromised in any way." The cameras still work. The alarms still sound. The sensors still detect motion.
But someone called an employee, convinced them to provide credentials, and walked out with 5.5 million customer records. No technical exploit required. Just a convincing phone call.
What did they not know about their own data?
This is ADT's third breach disclosure in under a year. August 2024. October 2024. April 2026. Each time, customer data. Each time, the same Salesforce environment holding years of accumulated customer information.
After three breaches, ADT still can't answer the fundamental question: what sensitive data exists in our systems and who can access it? A single compromised Okta account shouldn't provide access to 5.5 million customer records. But it did—because the data was there, accessible, and no one knew exactly what an attacker could reach until they reached it.
If your business runs on databases, you probably have similar records—customer data, credentials, financial information. Do you know what's actually in yours?
What does attribution look like the morning after?
ShinyHunters gave ADT until April 27 to pay. ADT refused. The data is now public—11 GB of customer records available to anyone who wants them.
For 5.5 million customers, the notification letter arrives after their data has already been leaked, indexed, and distributed. ADT faces notification obligations across every state where those customers reside. But notification doesn't undo exposure. The addresses are out there.
What would have changed the outcome?
Knowing what data a single compromised account could access—before the phone rang.
Vishing works because attackers know the reward is worth the effort. One convincing call, one compromised credential, 5.5 million records. An organization that had inventoried what data lived in Salesforce, mapped what each role could access, and flagged concentrations of sensitive information would have known this risk existed. They could have segmented access, limited exposure, and ensured a single compromised account couldn't reach millions of records.
Third breach in a year. Same question each time: what's actually in there?
ADT found out the hard way.
Your team could spend the next 6 months rebuilding systems, notifying customers, and answering legal questions. Or you could spend 24 hours finding out what's actually at risk.