ADT Confirms Data Breach Exposing 5.5M Customers — Here's What to Do

ADT confirmed today that an attacker accessed a Salesforce instance containing customer data for 5.5 million people, after the extortion crew ShinyHunters named the company on its "pay or leak" site with an April 27, 2026 deadline. The home-security giant's breach notice — corroborated by Help Net Security and a fresh entry on Have I Been Pwned — confirms what investigators traced back to April 20: a vishing call against an employee gave the attacker an Okta SSO session, and from there a pivot into Salesforce did the rest.

The good news, such as it is: no payment cards, no alarm-system access, no audio or video from cameras. The bad news is that the data that did leave the building is the data that fuels phishing attacks aimed specifically at ADT customers — and those calls and texts have already started.

What ADT confirmed

In a customer notification published April 26, ADT acknowledged that an unauthorized party "obtained access to a third-party cloud-based environment used to store customer relationship management data." Translated: the Salesforce instance ADT uses to track customers and service tickets. The company says the intrusion happened on April 20 and was contained the same week, but the data was already out the door.

Per the notice and corroborating reporting from BleepingComputer and Help Net Security:

• 5,479,000+ unique email addresses affected
• Names, mailing addresses, phone numbers
• For a smaller subset: date of birth and last four digits of SSN or Tax ID
• No credit card or banking data
• No access to ADT alarm systems, cameras, or the 24/7 monitoring center
• No ADT employee credentials beyond the initial compromised account

The 5.5M figure is large but plausible — ADT serves roughly 6 million residential and small-business customers in North America, so the breach scope is nearly the entire customer base.

How they got in: vishing the help desk

The attack chain is by now familiar. A ShinyHunters operator phoned ADT's help desk, impersonated an employee locked out of their account, and walked the agent through a "password reset" that included an MFA prompt the attacker then approved on the real employee's session. That's the vishing step. Once inside the Okta SSO tenant, the attacker enumerated which SaaS apps the compromised account had access to, found the Salesforce instance, and pulled customer records via the standard Salesforce data-export tooling.

This is the same playbook ShinyHunters and adjacent groups used through 2024 and 2025 against Snowflake tenants and a string of CRM-hosted customer databases. The lesson the security community has been repeating — and the lesson breaches like this keep teaching — is that the strongest perimeter on the planet doesn't help if a help-desk agent will reset a password over the phone. ADT has not commented publicly on whether the compromised employee had phishing-resistant MFA (FIDO2/passkey) enforced, but the success of a simple push-prompt approval suggests the answer is no.

What it means for ADT customers

The threat model here isn't identity theft in the classic sense — there's no payment data, and the SSN exposure is limited to a subset and to last-four only. The threat is targeted phishing.

Attackers now have, for 5.5 million households:

• A confirmed home address with the knowledge that an alarm system is installed there
• A direct phone line and email tied to that address
• The customer's full name to use in convincing impersonations of ADT support

Expect a wave of "Your ADT system needs a firmware update — please verify your account" calls, "We detected an alarm event at your home" texts, and emails that include the customer's real address to establish authenticity. Some of these will try to harvest the ADT mobile-app password (which, if reused elsewhere, is a much bigger problem). Some will try to install remote-access software on a phone or PC. A few will be physical — door-to-door "ADT technicians" claiming a service call.

What to do right now

Treat the next 30 days as a high-alert window if you're an ADT customer:

1. Change your ADT account password and your ADT mobile-app password. If you reused that password anywhere else, change it there too. A password manager fixes this in 10 minutes — see our roundup of best LastPass alternatives in 2026 for picks.
2. Turn on MFA inside the ADT app. Use an authenticator app (Aegis, 1Password, Authy), not SMS.
3. Never give security-system info to an inbound caller. ADT will not call you to verify your password, install an "update," or ask for the code. If a call seems urgent, hang up and dial the number on the back of your bill.
4. Watch your email. The phishing waves use real address data — see our guide on how to spot AI-driven phishing. The new attacks will be very personalized.
5. Freeze your credit at all three bureaus. Free, takes five minutes, blocks new-account fraud cold. Do this even though SSNs weren't fully exposed — the partial digits plus DOB plus address is enough to cause real friction.
6. Set up Have I Been Pwned alerts. haveibeenpwned.com already has the ADT breach indexed; subscribe with your email to be alerted on future leaks.
7. If you also got a notification with the SSN/DOB subset, ADT has indicated it will offer free credit monitoring. Take it — but don't let it replace the credit freeze.

What's next

ShinyHunters' April 27 deadline is the immediate question. If ADT did not pay (and large U.S. companies almost never publicly admit to paying), the data dumps to a leak forum within days, after which it spreads to the secondary scammer ecosystem inside a week. The phishing campaigns ramp from there.

Longer term, expect class-action filings within a month — that's now standard for any U.S. breach above a million records — and an SEC 8-K filing from ADT under the 2023 cyber-disclosure rules. The interesting regulatory question is whether the FTC scrutinizes the help-desk failure mode itself, since the same vector has now hit dozens of Fortune 500 companies and the industry's response has been notably underwhelming.

For ADT customers, the playbook is simple: assume your address is on a phishing list, harden the ADT account, freeze credit, ignore unsolicited calls. The breach is done. The phishing wave that follows it is the real fight.