ShinyHunters Just Claimed ADT for 10 Million Records. Five Days Ago Vercel Disowned the Same Claim. Was It Them This Time?

ADT confirmed a data breach this weekend. ShinyHunters claim 10 million records. ADT detected unauthorized access on April 20, terminated the intrusion the same day, and started an investigation. Five days earlier, on April 19, we published a post titled "ShinyHunters Claims Vercel. The Real ShinyHunters Says It Wasn't Them. We Checked." That post made one bet: somebody is using the ShinyHunters name without paying for the franchise.

Here is what we have on the ADT incident as of Saturday afternoon.

ADT's own statement says the data accessed was limited to names, phone numbers, and physical addresses, with a small percentage of records also containing dates of birth and the last four digits of Social Security numbers or Tax IDs. No payment information. No bank accounts. No credit card data. Customer security systems — the actual ADT alarms in homes and businesses — were not affected. ShinyHunters' claim of 10 million records is the attacker's number, not ADT's, and ADT has not confirmed the volume.

The attack chain is the part that matters. The threat actor compromised an ADT employee's Okta single sign-on account through a voice phishing call. With that SSO access, the attacker walked into ADT's Salesforce instance and exfiltrated customer data. Vishing into Okta into Salesforce. That is a known pattern. Mandiant tracks it under UNC6040 and UNC6395 in 2025. ShinyHunters' name has been attached to a string of these in the last twelve months.

The Vercel breach we covered on April 19 was different in mechanism. That one started with Lumma Stealer infecting a Context.ai employee through a fake game exploit, harvesting Google Workspace credentials, then pivoting through the Context.ai browser extension into a Vercel employee's account. Disclosure followed on April 20. Mandiant assessed the public ShinyHunters claim was likely an imposter using the established brand to extort. Real ShinyHunters or imposter, the actual blast radius was a limited subset of Vercel customer credentials.

Now ADT. Same week. Same claimed actor. Different mechanism. And the deadline ShinyHunters issued is April 27 — Monday — to leak the data unless ADT pays.

What is going on with the ShinyHunters name. Three possibilities, in order of probability based on what we have indexed.

One. The original ShinyHunters operation is back at scale and running an industrialized vishing-into-SaaS playbook. They are picking targets that have Salesforce as a CRM of record because Salesforce is where consumer-facing companies keep the customer file, and a Salesforce export in CSV is the cleanest single-shot deliverable for an extortion negotiation. ADT fits. Coca-Cola fit. The 2024 Snowflake-adjacent campaign fit.

Two. The name has been claimed publicly by multiple unrelated actors who are using ShinyHunters as a brand because the brand carries weight. Mandiant flagged this for Vercel. It has happened before with Lockbit, with Conti, with Lapsus$. Once the name has reputational mass, anyone who runs a vishing call into a help desk and gets a Salesforce token can frame their breach as a ShinyHunters operation and pick up a 10x ransom multiplier on the way out.

Three. ShinyHunters has split into multiple cells, some of which still operate under a coherent OPSEC posture, and others of which are franchisees getting access to the brand in exchange for a cut. We saw this pattern with REvil's affiliate program and with the BlackCat affiliate marketplace. The brand is the asset; the technique is taught downstream.

We do not know which one of these is true for ADT yet. We will know more after April 27 if ShinyHunters actually publishes the dataset. The hash of the leak file, the formatting of the dump, the way the payment wallet is structured — those tell us whether we are looking at the same crew that ran the Coca-Cola operation last year or a downstream affiliate paying licensing fees to use the name.

For ADT customers, the practical steps are routine. If you are an ADT customer, your name, address, and phone number are likely already on the dataset. A small percentage of you also had DOB and SSN-last-four exposed. Watch for vishing follow-ons targeted at ADT customers specifically, because the attacker who got the data has both the customer list and the social engineering motive to chain into a second round of fraud. Do not give the last four of your SSN to anyone calling claiming to be ADT, your bank, or a federal agency. Do not approve any new MFA prompt unless you initiated the login.

For everyone else watching the security industry, the takeaway is the M.O. Vishing into Okta into Salesforce. We have indexed every published instance of this pattern we know about. If your organization has Okta SSO into Salesforce — and a lot of you do — it is worth running a tabletop on this exact chain. The weakest link is consistently a help desk agent who does not know that the voice on the line is not allowed to ask for an MFA reset.

We will update this post when ShinyHunters either publishes the data Monday or doesn't.

Sources: BleepingComputer ADT confirmation, ADT official statement, Recorded Future Record, CyberInsider analysis, Yahoo Finance reporting, Mandiant Vercel attribution thread.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com