ADT Confirms Cyber Intrusion After ShinyHunters Extortion Attempt, 5.5 Million Emails Exposed
Home security giant ADT has confirmed a cyber intrusion on April 20 after the ShinyHunters group attempted extortion group claimed to have stolen over 10 million Salesforce records containing customer PII.
Home security giant ADT has confirmed a cyber intrusion that began on April 20, following an extortion attempt by the notorious ShinyHunters hacking group. The company, one of the world's largest providers of monitored alarm systems and smart home security, disclosed the breach in a regulatory filing and public statement on Friday, acknowledging that attackers accessed certain cloud-based environments and made off with customer data.
According to ADT's official account, the intruders stole data includes names, phone numbers, and addresses, with a smaller subset also containing dates of birth and the last four digits of Social Security or tax identification numbers. The company was keen to stress that no payment data was accessed and that customer security systems themselves were not compromised. ADT said it detected the unauthorized access on April 20, immediately shut it down, and brought in outside incident responders while looping in law enforcement.
ShinyHunters, however, is telling a much larger story. In a post on its dark web leak site seen by The Register, the group claims it lifted "over 10M Salesforce records containing PII and other internal corporate data" and is now dumping the entire trove after negotiations with ADT fell through. "The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made," the group stated. The mention of Salesforce strongly suggests the intrusion originated from a compromised SaaS foothold rather than any direct tampering with alarm panels or physical security infrastructure.
The gap between ADT's characterization of a "limited set" of data and ShinyHunters' claim of 10 million records is significant. Have I Been Pwned has now added a concrete data point, listing 5.5 million unique email addresses from the breach — a number that sits far closer to the attackers' version than ADT's. This pattern of companies minimizing scope while attackers exaggerate is familiar, but the HIBP number provides an independent benchmark that suggests the true scale is in the millions.
ShinyHunters has a track record of similar extortion campaigns. The group recently made comparable claims against cruise operator Carnival Corporation, complete with talk of failed negotiations and an impending data dump. For ADT, a company whose entire business model is built on keeping intruders out, the breach represents a particularly damaging reputational blow. The incident also highlights the growing risk of SaaS environment compromises, where attackers gain access through cloud applications rather than traditional network perimeter breaches.
ADT has not yet responded to questions about the initial compromise vector, the total number of affected individuals, whether customers outside the US are involved, or whether it has filed breach notifications with state attorneys general. The company's 8-K filing with the SEC confirms that attackers accessed "certain cloud-based environments" but provides no further technical detail. As investigations continue, the true scope of the breach — likely somewhere between ADT's minimal description and ShinyHunters' maximalist claims — will become clearer.
For now, the home security provider faces the uncomfortable reality of having been digitally burgled itself, with millions of customer records potentially in the hands of criminals. The incident serves as a stark reminder that even companies selling security can fall victim to sophisticated cloud-based intrusions, and that the gap between corporate incident definitions and attacker claims often leaves the public guessing at the real damage.