The threat group ShinyHunters is claiming responsibility for a data breach of giant home security company ADT last week that exposed the sensitive data of as many as 5.5 million current or potential customers.

The prolific threat group listed ADT on its leak site, claiming to have grabbed more than 10 million records that it claimed included not only personally identifiable information (PII) but also corporate data from ADT.

ADT, which has more than 6 million residential and small business customers in the United States and Canada, notified the U.S. Securities and Exchange Commission (SEC) about the breach in a brief filing late last week, as reports surfaced that the company was attacked and that ShinyHunters was behind it.

Company executives told the SEC that it learned of the “unauthorized access to certain cloud-based environments” on April 20 and terminated the unauthorized access, put its incident response plan in motion, and began an investigation with the help of third-party cybersecurity experts and law enforcement.

‘Limited’ Amount of Data Accessed

They wrote that “only limited customer and prospective customer data was accessed” and they didn’t think the attack would have a material impact on its business operations or financial numbers.

The Boca Raton, Florida, company offers a range of products and services, from intruder and motion detectors to video cameras and control of the systems from a mobile app.

Have I Been Pwned, a service that keeps track of data breaches, wrote in a posting on X that ADT was hit with a “pay or leak” extortion attack that led to 5.5 million unique emails being published by ShinyHunters. The data stolen also includes names, addresses, phone numbers, and a small amount of data-of-birth and partial Social Security numbers.

The service also noted that 71% of the data was already in Have I Been Pwned databases.

Stolen Information Leaked

ShinyHunters leaked an archive of 11 GB of stolen data on the dark web, claiming ADT had not complied with its demand that the company pay the extortion demand by April 27.

The attackers told BleepingComputer that they were able to breach the ADT systems by compromising the Okta single sign-on (SSO) of an employee who was victimized through a voice phishing (vishing) scam.

It follows what threat researchers with security firm Silent Push reported in January about a widespread identity-theft campaign by Scattered Lapsus$ ShinyHunters, a group that includes members from ShinyHunters, Lapsus$, and Scattered Spider. According to the researchers, the group was targeting more than 100 “high-value” enterprises through Okta’s SSO and other SSO platforms.

Expanding Vishing Campaign

“This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing … operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups,” they wrote. “The primary infrastructure being used is a new ‘Live Phishing Panel.’ This allows a human attacker to sit in the middle of a login session, intercepting credentials and MFA tokens in real-time to gain immediate, persistent access to corporate dashboards.”

The campaign targeted organizations in a range of sectors, including technology and software, financial services, biotech and pharmaceuticals, healthcare, and logistics.

Phishing Kits Detected

The report came out days after Okta researchers said they had detected a number of custom phishing kits that were being used in vishing campaigns. The were available as a service and were being used by a growing number of bad actors targeting such high-profile companies as Google and Microsoft, as well as Okta and a number of cryptocurrency providers.

“The kits are capable of intercepting the credentials of targeted users, while also presenting the supporting context required to convince users to approve MFA challenges, or to take other actions in the interests of the attacker on the phone,” Okta researchers wrote. “They can be adapted on the fly by callers to control what pages are presented in the user’s browser, in order to sync with the caller’s script and whatever legitimate MFA challenges the caller is presented with as they attempt to sign-in.”

Google’s Mandiant business in late January reported similar findings, noting expanded threat activity that included the tactics consistent with previous ShinyHunters extortion campaigns.

The ADT breach came to light the same week that ShinyHunters leaked data stolen – about 38 million files – from other companies the group claimed to have breached, including retailer Zara, cruise line company Carnival, and 7-Eleven.

‘Identity-First’ Attack

Noelle Murata, COO of security firm Xcape, said the ADT and Carnival breaches exposed a critical flaw in the modern defenses of enterprises: the “identity-first attack.”

“ShinyHunters didn’t breach these companies through complex zero-days,” Murata said. “They manipulated the human layer via vishing to hijack Okta sessions and walk through the front door of their Salesforce environments.”

She also noted the four days between ADT detecting the breach and publicly disclosing it.

The lag “suggests a period of high-stakes internal forensics – or a failed attempt to contain the news before the extortionists went public,” Murata said. “To be blunt, a four-day incident response window is not ‘quick,’ as ADT claims.”