ADT breach exposed data on 5.5 million people

ADT says attackers accessed personal information tied to 5.5 million people in a breach detected on April 20, according to reporting from BleepingComputer and breach-tracking service Have I Been Pwned. The company said the exposed data included names, phone numbers, and addresses, while a smaller subset also included dates of birth and the last four digits of Social Security numbers or tax IDs.

This matters because ADT sits at the intersection of physical security and consumer trust. Even though the company says no payment information was accessed and customer security systems were not compromised, a breach at a home-security brand carries extra weight. People do not just hand these companies email addresses. They trust them with information tied to where they live and how they protect their homes.

According to BleepingComputer, the attackers claimed they got in by compromising an employee's Okta single sign-on account through a voice-phishing attack, then used that access to reach a Salesforce instance. That attack path is becoming a familiar one across enterprise SaaS environments: steal an identity token, pivot through cloud software, and extract large volumes of customer data without touching the core product itself.

The broader implication is that identity security is still the soft spot for many large companies. If the reported details hold up, this was not a sophisticated exploit against ADT's monitored systems. It was a reminder that help desks, SSO workflows, and SaaS administration remain high-value targets. As first reported by BleepingComputer, the breach is also being linked to ShinyHunters, a group that has been tied to multiple recent extortion and data-theft campaigns.