ADT disclosed unauthorized access to cloud-based environments after detecting activity on April 20, 2026, and leaksear.ch has indexed 8.66 million related customer, prospective-customer, and support-case records (leaksear.ch metadata, www.sec.gov). Have I Been Pwned lists the ADT breach as affecting 5.5 million unique email addresses, with names, phone numbers, physical addresses, dates of birth, and partial government IDs among the exposed data (haveibeenpwned.com).
What happened
ADT's April 24, 2026 Form 8-K says the company became aware of unauthorized access to certain cloud-based environments on April 20, terminated the access, activated its incident-response plan, engaged third-party cybersecurity experts, and notified law enforcement. ADT said limited customer and prospective-customer data was accessed, and that it did not believe the incident was reasonably likely to materially affect its financial condition, results, or ongoing operations (www.sec.gov).
Public reporting tied the incident to ShinyHunters. BleepingComputer reported that the group listed ADT on its leak site, claimed to have stolen more than 10 million records, set an April 27, 2026 deadline, and said it accessed ADT through a vishing attack that compromised an employee Okta SSO account before pivoting into Salesforce (www.bleepingcomputer.com). BankInfoSecurity later reported that ShinyHunters posted a zip file it said contained more than 10 million records, while also noting Have I Been Pwned's count of 5.5 million unique email addresses (www.bankinfosecurity.com).
leaksear.ch metadata identifies the indexed dump as an 11 GB archive named shouldve_paid_the_ransom, combining Salesforce Account, Contact, Case, and AI-outreach Lead objects (leaksear.ch metadata). ADT did not publicly confirm the attackers' claimed record volume in the reporting reviewed here (www.bleepingcomputer.com).
What data was exposed
The leaksear.ch index includes searchable names, email addresses, phone numbers, physical addresses, countries, and dates of birth (leaksear.ch metadata). The indexed records also contain account, contact, lead, and support-case context, including account names and status fields, billing, shipping, mailing, and other address components, case numbers, case notes and comments, chat history, lead outreach replies, product-interest fields, customer and system identifiers, credit-check consent and scoring references, balance and invoice fields, and tax or SSN-related field names (leaksear.ch metadata).
Public reporting says ADT described the exposed information as names, phone numbers, and addresses, with dates of birth and the last four digits of Social Security numbers or Tax IDs present in a small percentage of cases. ADT also told BleepingComputer that payment information, including bank accounts and credit cards, was not accessed, and that customer security systems were not affected or compromised (www.bleepingcomputer.com).
Why this matters
The exposed combination of contact details, home addresses, account context, and support-case history can support targeted phishing, customer-support impersonation, and social-engineering attempts that reference ADT service history. Dates of birth and partial government identifiers can also increase identity-verification and fraud risk for affected people. For security teams, the Salesforce and support-case context makes this useful for pretexting against customers, dealers, support desks, and account-recovery workflows.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, password, and phone.