What Happened
Home security company ADT disclosed on April 24 that the ShinyHunters extortion group compromised its systems and stole personal information belonging to 5.5 million customers and prospective customers. The breach was detected April 20 and reported to the SEC via an 8-K filing.
ShinyHunters told BleepingComputer the intrusion began with a voice phishing (vishing) call that convinced an ADT employee to hand over their Okta single sign-on credentials. With SSO access, the attackers moved laterally into ADT’s Salesforce instance and exfiltrated a database of customer records. The stolen data includes names, phone numbers, addresses, and in a portion of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs. No payment card data or home security system configurations were accessed.
ShinyHunters published an 11GB archive on its dark web leak site after ADT declined to negotiate, setting April 27 as a final deadline. ADT said customer security systems were not affected and operations were not disrupted. Source: BleepingComputer
Why This Matters for Canadian Organizations
The ADT breach is the latest entry in a long and growing list of ShinyHunters attacks in 2026 that follow the same playbook: vishing to steal SSO credentials, lateral movement into Salesforce, bulk data extraction, extortion. Canadian organizations have been directly in the crosshairs of this pattern. ShinyHunters breached Canada Life in April 2026, exposing 70,000 Canadians’ insurance data through a Salesforce tenant. The same group attacked Amtrak via Salesforce social engineering in April, and McGraw-Hill via Salesforce misconfiguration in the same month. TELUS Digital was compromised in March 2026, with ShinyHunters claiming nearly one petabyte of data stolen.
The consistency of the Salesforce and Okta SSO attack chain across these incidents is the critical signal for Canadian security teams. Any organization running Salesforce as a customer data platform — which includes the majority of Canadian financial services, insurance, telecommunications, and retail companies — is a candidate target. Okta SSO is equally prevalent in Canadian enterprise environments, and the human vector (vishing the helpdesk or a specific employee) bypasses technical MFA controls when an attacker can convince a target to approve a login or hand over a one-time code.
Under PIPEDA, Canadian organizations that suffer a data breach involving names, contact information, and partial identity numbers face breach notification obligations to both the Office of the Privacy Commissioner and affected individuals when there is a real risk of significant harm. The ADT breach data is now publicly available on the dark web, which means affected individuals face elevated phishing, identity fraud, and social engineering risk — exactly the kind of harm PIPEDA’s notification requirements are designed to address.
What to Do
Review your Salesforce access controls and Okta SSO configuration now. Audit which employee accounts have access to bulk customer data exports in Salesforce and apply the principle of least privilege aggressively. Disable or restrict the data export functionality for users who do not require it for day-to-day operations.
Strengthen your defenses against vishing. Train employees — particularly IT helpdesk staff and those with access to SSO systems — on voice phishing scenarios. Implement call-back verification procedures before any credential reset or MFA bypass is performed over the phone. Require out-of-band confirmation for high-risk actions regardless of caller ID.
Enable Okta phishing-resistant authenticators (hardware security keys or device-bound passkeys) for accounts with access to customer data systems. SMS and TOTP codes are insufficient against a determined vishing attack. Review Okta session policies to ensure that SSO tokens expire at appropriate intervals and require re-authentication for sensitive operations.
If your organization uses Salesforce and holds Canadian personal information, conduct a tabletop exercise focused specifically on the Salesforce exfiltration scenario. The ShinyHunters TTPs are well documented — your incident response plan should address this specific attack chain before it is tested against you.
