Home Security Firm ADT Breach: 5.5M Customers’ Data Exposed

See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?

ADT first notified investors about the breach in a Friday filing to the U.S. Securities and Exchange Commission.

The filing says ADT learned of the breach on April 20, involving “unauthorized access to certain cloud-based environments.” The Florida firm said it believes that “only limited customer and prospective customer data was accessed,” and that the breach is unlikely to materially dent its earnings.

ADT provides security services for homes and small businesses, runs a variety of sales and service offices nationwide, as well as six 24/7 monitoring and support centers, and relies on a large network of installation and service professionals. Since its IPO in January 2018, the company has traded on the New York Stock Exchange under the symbol “ADT.”

The extortion group ShinyHunters on Friday listed ADT on its data leak blog. The group claimed to have stolen “over 10M records containing PII and other internal corporate data.” It posted Sunday a zip file of what it says is more than 10 million records.

Breach-tracking service Have I Been Pwned listed the breach Monday, noting that it exposed 5.5 million unique email addresses, as well as customers’ name, physical address and phone number.

Have I Been Pwned said that 71% of the exposed email addresses are already in its database of email addresses, meaning they were exposed in previous breaches. The free service allows an individual to register an email address, then emails an alert whenever that address appears in a corpus of breach data.

Some ADT customers’ data of birth and a partial government-issued ID number were also exposed. ADT in an emailed statement said that “in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or tax IDs were included.” It said that hackers did not access payment card data “and customer security systems were not affected or compromised in any way.”

ADT said it has contacted all affected customers. The company didn’t detail the volume of customer data allegedly exposed, or if it pertains to both current and former customers. At the end of 2025, ADT counted about 6.1 million security monitoring service subscribers.

ShinyHunters is the name of a hacking group that emerged from the largely Western adolescent cybercrime community known as “The Com,” which excels at converting social engineering attacks, oftentimes in live telephone calls targeting an organization’s IT help desk, into hacks of major corporations. The group regularly relies on phishing-as-a-service toolkits in the initial stage of their attack.

ShinyHunters told Bleeping Computer it breached ADT’s Okta security software by socially engineering an employee. “Using this account, the threat actors claimed they accessed and stole data from the company’s Salesforce instance,” the publication reported (see: Voice Phishing Okta Customers: ShinyHunters Claims Credit).

Cybersecurity firm Unit 221B – a threat intel firm that closely monitors the cybercriminal underworld – urge victims of ShinyHunters to never pay a ransom or even open communications with the extortionists. Doing so can signal that a victim thinks the data has value and trigger a variety of “harassment attacks” that can range from distributed-denial-of-service disruptions and email flooding to swatting attacks against executives.

Since the beginning of the year, ShinyHunters has claimed breaches against Ivy League giants Harvard and University of Pennsylvania, investment advisory firms Mercer Advisors and Beacon Pointe Advisors, dating app conglomerate Match Group, and hundreds of organizations that rely on Aura rapid development framework components developed by Salesforce (see: Salesforce Sounds Alarm Over Fresh Data Extortion Campaign).

The group regularly gains access to an organization through its single sign-on software, such as Okta, Google or Microsoft Entra, and frequently targets a company’s Salesforce customer relationship management data. Previous campaigns by the group haven’t directly exploited flaws in Salesforce, although it has taken advantage of misconfigured guest accounts. The attackers have previously also tricked victims into giving them direct access to customer data and exploited vulnerabilities in third-party services that integrate with Salesforce.

ADT previously reported a breach in October 2024 that exposed encrypted employee account data, as well as a breach in August 2024 that led to 30,800 customer records being leaked on a hacking forum.