When you sign up for a professional home security system, you’re making a bet: that the company watching your home is better at security than you are. ADT’s third data breach in less than a year puts that bet in serious question.

On April 20, 2026, ADT discovered that attackers had gained unauthorized access to its cloud-based environments. By April 24, the ShinyHunters extortion group had listed ADT on its dark web leak site with a simple ultimatum: pay up, or the data goes public. ADT didn’t pay. On April 27, ShinyHunters leaked an 11 GB archive of stolen data. ADT filed an 8-K with the SEC the same day, confirming the breach affected approximately 5.5 million customers.

How One Phone Call Unlocked 5.5 Million Records

The attack didn’t begin with a sophisticated zero-day exploit or weeks of network reconnaissance. It began with a phone call.

ShinyHunters used a voice phishing attack β€” known in the industry as vishing β€” to impersonate a legitimate caller and trick an ADT employee into handing over credentials for their Okta single sign-on account. Okta SSO is supposed to simplify enterprise access management: one login, many systems. When attackers compromise that one login, they potentially get access to all of those systems at once.

In this case, that meant Salesforce. Using the compromised Okta account, the attackers accessed ADT’s Salesforce instance and extracted customer records at scale.

No malware. No exploited software vulnerability. Just a convincing phone call and a single point of failure.

What Was Exposed

ADT confirmed the following data was included in the breach:

  • Full names
  • Phone numbers
  • Physical addresses
  • In a small percentage of cases: dates of birth and the last four digits of Social Security numbers or Tax IDs

ADT was careful to note that payment card data, bank account numbers, and customer security system configurations were not accessed. The company also stated that home security systems themselves were not affected or compromised.

That’s cold comfort for the subset of customers whose partial Social Security numbers are now floating in a leaked 11 GB archive.

This Is ADT’s Third Breach Since August 2024

What makes this breach especially alarming isn’t the data β€” it’s the pattern.

  • August 2024: ADT disclosed a breach affecting customer email addresses, phone numbers, and postal addresses.
  • October 2024: ADT disclosed a second breach in which employee credentials were stolen and used to access internal systems.
  • April 2026: ShinyHunters breach β€” 5.5 million customers, vishing attack, Salesforce data exfiltration.

Three breaches in under two years at a company whose entire product is home security. Each time, attackers found a way in. Each time, customer data left the building.

Why Home Security Companies Are High-Value Targets

ADT isn’t just a company that collects contact information. It’s a company that knows:

  • Whether you’re home or away (alarm arm/disarm patterns)
  • Your home address linked to your identity
  • Your emergency contacts
  • In some cases, your physical home’s layout and entry points

Even without accessing alarm system data directly, a breach of customer records creates a rich dataset for follow-on attacks. Physical address linked to a name and phone number is enough to enable targeted social engineering, mail fraud, or worse β€” enabling an attacker who already knows you’re on vacation to plan accordingly.

ShinyHunters: The Group Behind the Attack

ShinyHunters has become one of the most prolific data extortion groups operating today. Their playbook is consistent: compromise SSO accounts through vishing campaigns targeting employees and business process outsourcing (BPO) agents, access SaaS platforms using those credentials, extract data at scale, then demand payment under threat of public release.

Recent targets include Ticketmaster (560 million records), Santander Bank, and now ADT. The group has been conducting this exact SSO-to-SaaS campaign pattern for over a year, and it keeps working because enterprises continue to underestimate vishing as an attack vector and overestimate the protection their SSO implementations provide.

What ADT Customers Should Do Now

If you’re an ADT customer, take these steps immediately:

1. Assume your contact information is compromised. Your name, phone number, and home address are now in a leaked archive. Be alert for unexpected calls, texts, or mail that reference your ADT account or home security.

2. Watch for vishing attacks targeting you. If ShinyHunters can trick an ADT employee with a phone call, they can trick you. Be deeply skeptical of any unsolicited call claiming to be from ADT, your bank, or any other service provider β€” especially if they’re asking you to confirm account details, update credentials, or authorize actions.

3. Enable MFA on every account that offers it. Especially your ADT account, email, and any financial accounts linked to the address exposed in the breach.

4. Freeze your credit if partial SSNs were involved. ADT acknowledged that a subset of customers had their last four digits of Social Security numbers exposed. Combined with your name and address, that’s enough to attempt identity theft. A credit freeze at all three bureaus (Equifax, Experian, TransUnion) costs nothing and blocks new account fraud.

5. Monitor for phishing emails referencing the breach. Opportunistic attackers often send fake β€œbreach notification” emails after a high-profile incident. Any email about this breach that asks you to click a link, enter credentials, or download a file is almost certainly malicious.

The Bigger Picture

ADT isn’t alone in this problem. The home security industry collects exactly the kind of data that makes breaches catastrophic β€” physical addresses, behavioral patterns, identity information β€” and many providers have not kept pace with the sophistication of the groups targeting them.

Vishing attacks work because they exploit human trust rather than software vulnerabilities. No firewall blocks a convincing phone call. No patch prevents an employee from being fooled. The answer is training, strict verification protocols for any action taken over the phone, and zero-trust architectures that limit how much a single compromised account can access.

Until that bar is raised across the industry, the question isn’t whether your home security provider will be breached. It’s when, and how much of your data they’ll take with them.

ADT has not publicly disclosed the full scope of affected accounts or the specific ransom demand. Customers seeking more information can contact ADT directly or monitor the company’s official breach notification page.