Prolific ShinyHunters Extortion Group Made ‘Pay or Leak’ Threat to Victim
In a significant cybersecurity incident, ADT, a leading home security company, has reportedly fallen victim to a major data breach, which has compromised the personally identifiable information (PII) of approximately 5.5 million customers. This breach raises serious concerns regarding the integrity of customer data and the measures that enterprises should take to safeguard sensitive information.
According to a filing with the U.S. Securities and Exchange Commission (SEC), ADT first alerted its investors about the breach on April 24, 2026. The firm disclosed that it had become aware of the unauthorized access on April 20, which involved certain cloud-based environments. Following the breach, ADT expressed the belief that only a limited amount of customer data had been accessed, and it asserted that it was unlikely to have a material impact on its financial performance.
As a prominent provider of security services for homes and small businesses, ADT operates numerous sales and service offices across the country, along with multiple monitoring and support centers. This incident marks a significant issue for the company, which trades on the New York Stock Exchange under the ticker symbol “ADT” and has been facing challenges in maintaining customer trust.
Adding to the gravity of the situation, the notorious hacking group known as ShinyHunters has claimed responsibility for the data breach, listing ADT on its data leak blog. The group asserts that it has stolen over 10 million records, including sensitive customer and corporate information. On April 27, they even released a zip file purportedly containing these records.
Breach-tracking service Have I Been Pwned has also confirmed the breach and pointed out that it has impacted 5.5 million unique email addresses along with customers’ names, physical addresses, and phone numbers. This exposure of personal information not only jeopardizes the safety of affected individuals but also serves as a grim reminder of the vulnerabilities that can exist even within reputable organizations.
Moreover, Have I Been Pwned revealed that a staggering 71% of the exposed email addresses were already listed in its database due to prior breaches, emphasizing the ongoing issue of data security across industries. The service allows individuals to register their email addresses to receive alerts whenever those addresses are involved in new breaches, reflecting the ongoing necessity for individuals to monitor their digital safety.
Further concerning is the exposure of some ADT customers’ dates of birth and partial government-issued ID numbers. ADT assured that, in a small percentage of cases, only the last four digits of Social Security numbers or tax IDs were included. Fortunately, the company confirmed that there was no access to payment card data, and customer security systems remained untouched by the hackers.
As part of its response to the data breach, ADT has initiated contact with all affected customers, though specifics regarding the volume of data compromised or whether it includes both current and former customers have not been disclosed. Data released at the end of 2025 indicates that ADT had roughly 6.1 million subscribers for its security monitoring services.
ShinyHunters is a cybercriminal group that originates from a largely Western adolescent cybercrime community known as “The Com.” This group is recognized for its ability to convert social engineering tactics, often through live phone calls targeting IT help desks, into successful hacks of significant corporations. Their methods often include the use of phishing-as-a-service toolkits during the initial phases of their attacks.
The group reportedly told Bleeping Computer that it successfully breached ADT’s Okta security software through social engineering techniques targeting an employee. By exploiting this account, they claimed access to sensitive data stored in the company’s Salesforce instance, showcasing the intricate methods employed by cybercriminals today.
Cybersecurity experts, including those at Unit 221B, have cautioned that victims of ShinyHunters should avoid paying ransoms or engaging in any communication with the extortionists. Such interactions can signal to the offenders that their threat has value and may provoke further harassment tactics, which could include distributed denial-of-service (DDoS) attacks, email flooding, or even threats against executives.
This breach is just one in a series of claims made by ShinyHunters since the beginning of 2026, with their targets including prestigious institutions like Harvard and the University of Pennsylvania, investment advisory firms, and numerous organizations that utilize components from the Aura rapid development framework, which is developed by Salesforce.
The group has demonstrated a consistent trend of gaining access to organizations via single sign-on software such as Okta, Google, or Microsoft Entra, frequently setting its sights on Salesforce customer relationship management data. While their previous campaigns haven’t directly exploited vulnerabilities in Salesforce, they have successfully taken advantage of misconfigured accounts and garnered direct access to customer data through deception.
It’s worth noting that this is not the first time ADT has faced breaches; the company previously reported a breach in October 2024 that involved encrypted employee account data, followed by another incident in August 2024, which exposed approximately 30,800 customer records on a hacking forum. This pattern of data breaches highlights the ongoing challenges that even large corporations face in securing sensitive information.