ADT confirms breach after ShinyHunters claims 10 million records stolen via vishing-compromised Okta SSO and Salesforce exfil

ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.

Check

If you run Salesforce behind Okta or another SSO, audit conditional-access policies this week and assume vishing-driven session-hijack is a credible vector for your tenant.

Affected

ADT customers, particularly the prospective customers confirmed in the dataset. From a security standpoint: any organization using Salesforce behind SSO without device-bound auth or per-session re-auth on bulk exports. The pattern across ShinyHunters victims (Carnival, ADT, Zara, 7-Eleven) shows MFA alone does not stop this group once help-desk vishing succeeds.

Fix

Brief frontline staff on the vishing pattern: spoofed VoIP, attacker poses as IT, walks user through MFA enrollment. Run a tabletop. In Okta and Entra ID, alert on new device registrations and on bulk Salesforce exports outside business hours. Tighten Permission Set Groups for bulk exports. Consider FIDO2 or platform passkeys for any role with bulk customer-data access.