A Phone Call Took Down ADT. Los Angeles Businesses Use the Same Tools Their Employee Did.

THE SHORT ANSWER

In April 2026, a hacking group called ShinyHunters called an ADT employee, impersonated IT support, and talked their way into the employee’s Okta single sign-on account. From there, they pulled data out of ADT’s Salesforce instance and claimed to have taken over 10 million customer records. This attack method is called vishing: voice phishing. It requires no malware, no zero-day exploit, and no technical sophistication on the victim’s end. It requires one employee to believe they are talking to someone they are not. Los Angeles businesses running Okta, Salesforce, Microsoft 365, or Google Workspace face the same exposure. The tool that protected ADT’s systems failed because a person was manipulated before the software ever got involved.

IT Accuracy  |  Managed IT Services, Los Angeles  |  Date: May 9, 2026  |  12 min read

Office worker on landline phone with cybersecurity threat icons representing a vishing attack targeting employee credentials at a Los Angeles business

AT A GLANCE

AT A GLANCE

ShinyHunters used a vishing call to compromise an ADT employee’s Okta SSO account and access Salesforce data containing up to 10 million customer records
Vishing bypasses technical security controls entirely. No malware, no exploit, no brute force. One phone call and one employee is all it takes.
⚠️ShinyHunters has used this same method against Ticketmaster, Rockstar Games, McGraw Hill, and dozens of other organizations since 2024
⚠️Any Los Angeles business using Okta, Microsoft Entra, Google SSO, Salesforce, or Microsoft 365 is operating in the same attack environment as ADT
IT Accuracy helps Los Angeles businesses implement phishing-resistant MFA, employee security training, and the verification procedures that stop vishing before it starts

The ADT breach confirmed in April 2026 did not start with a software vulnerability. It started with a phone call. That distinction matters more for Los Angeles businesses than the breach itself, because the attack method used against ADT targets people, not systems, and people are present in every organization regardless of size, industry, or how sophisticated their IT setup is.

What Vishing Is and Why It Works

Vishing stands for voice phishing. It is the phone call equivalent of a phishing email: an attacker calls an employee, impersonates someone with authority or technical credibility, and manipulates that employee into providing access, credentials, or sensitive information. The voice component is deliberate. People apply different skepticism standards to phone calls than to emails. A suspicious link in an email is a known warning sign. A professional, helpful-sounding voice on the phone triggers different instincts.

In the ADT case, ShinyHunters called an employee and impersonated IT support. The employee, doing what most employees do when IT support calls with an issue to resolve, cooperated. The attacker walked away with the employee’s Okta single sign-on credentials. With those credentials, they authenticated into ADT’s systems and began pulling data from the company’s Salesforce instance.

This is the architecture that makes vishing so effective against organizations running modern SaaS environments. Okta, Microsoft Entra, and Google SSO are single sign-on platforms. They are specifically designed to give authenticated users access to multiple applications through one login. That is their value to the organization. It is also what makes a compromised SSO account more damaging than a compromised individual application login. One set of credentials. Many connected systems. That is why how your network and access architecture is configured determines how much damage a single compromised login can do.

Why vishing is not a new problem

Vishing is not a recent invention. It is a variation of social engineering that has been used in fraud and corporate espionage for decades. What changed is the target. ShinyHunters and similar groups have industrialized vishing specifically to compromise cloud SSO accounts because those accounts are the master key to everything in a modern SaaS environment. The attack is low-tech by design. The payoff is high-tech by architecture.

How the ADT Attack Actually Worked: The Five Steps

Understanding the attack sequence matters because each step represents a place where a different control could have stopped or limited the damage. Most post-breach analyses focus on what happened. This one focuses on where it could have been interrupted.

The ADT vishing attack, step by step

Step 1 — Reconnaissance
Attacker identifies an employee with system access
ShinyHunters researched ADT before making the call. This typically involves identifying employees through LinkedIn, company directories, or data from previous breaches. The target is usually someone in IT, operations, or a role likely to have broad system access or credibility-adjacent enough to be a believable entry point.
Step 2 — The Call
Attacker impersonates IT support and establishes urgency
The call is scripted to sound like a routine IT support interaction: there is an issue with the employee’s account, a security alert, a system update that requires verification. Urgency is introduced early. The attacker sounds professional, uses internal-sounding terminology, and guides the conversation to a single ask: the employee’s Okta credentials or an action that grants the attacker access.
Step 3 — SSO Compromise
Attacker gains access to Okta single sign-on
With the employee’s Okta credentials, the attacker now has authenticated access to every application connected to that SSO profile. In ADT’s environment, this included Salesforce. In other organizations, this same type of compromise has yielded access to Microsoft 365, Google Workspace, Slack, Zendesk, Dropbox, SAP, and other enterprise platforms. SSO is the blast radius multiplier.
Step 4 — Data Exfiltration
Attacker pulls records from Salesforce
ShinyHunters accessed ADT’s Salesforce instance and extracted customer and prospective customer records. The group claimed over 10 million records containing names, phone numbers, addresses, and in some cases dates of birth and partial Social Security numbers. ADT disclosed the breach on April 24, 2026 and confirmed unauthorized access was detected on April 20.
Step 5 — Extortion
Attacker posts leak threat with ransom deadline
ShinyHunters published the breach on their dark web data leak site and gave ADT a deadline of April 27, 2026 to pay an undisclosed ransom or face a public data release. This is the group’s standard operating procedure. Data theft as leverage is more predictable than ransomware and does not require the attacker to maintain access after exfiltration.

This Is Not an ADT Problem. It Is a SaaS Authentication Problem.

ADT is a $5.1 billion company with dedicated security infrastructure. The breach did not happen because ADT lacked resources. It happened because a human employee was socially engineered before any of that infrastructure could respond. That same dynamic applies to a 40-person professional services firm in downtown Los Angeles running Salesforce for their CRM, Microsoft 365 for their email, and Okta or Google SSO to manage access across both.

ShinyHunters has demonstrated a consistent capability to execute this exact attack across organizations of different sizes, industries, and technical sophistication levels. Confirmed victims include Ticketmaster, Rockstar Games, McGraw Hill, Bumble, Match Group, PowerSchool, multiple universities, and luxury brands including LVMH and Kering. The connecting thread is not industry. It is the presence of cloud SSO connected to SaaS data.

If your organization uses any of the following, your employees are operating in the same threat environment as ADT’s: Okta, Microsoft Entra, Google SSO, Salesforce, Microsoft 365, Google Workspace, Slack, Adobe, Zendesk, Dropbox. That list covers the majority of Los Angeles businesses that have modernized their IT infrastructure in the last five years. Managed IT and professional services firms. Law offices. Real estate groups. Healthcare practices. Construction companies. The tool stack is the exposure.
Business professional at laptop surrounded by cloud SaaS application icons representing SSO access control risks for Los Angeles organizations using Microsoft 365 and Salesforce

The MFA problem with vishing

Standard multi-factor authentication does not stop a vishing attack that uses real-time credential theft. If an attacker calls an employee, gets their username and password, then asks them to read the MFA code being sent to their phone, MFA has been bypassed without any technical exploit. Phishing-resistant MFA using hardware security keys or passkeys eliminates this vulnerability. Push-notification MFA does not.

What Vishing Resistance Actually Requires

Most security conversations about phishing focus on email. Security awareness training shows employees how to spot suspicious links, check sender addresses, and avoid clicking attachments from unknown senders. That training is still necessary. It does not address vishing.

Vishing resistance requires a different set of controls, starting with the verification procedure. Every organization with SaaS access needs a documented, enforced rule: IT support will never call an employee and ask for credentials, MFA codes, or account access. Not under any circumstances. Not for any reason. If an employee receives a call claiming to be IT support and asking for any of that information, the correct response is to hang up and call the IT department on a known, verified number. That procedure needs to be trained explicitly, not assumed.

Beyond the procedure, the technical controls that limit vishing damage are specific. Phishing-resistant MFA using hardware security keys or passkeys prevents an attacker from using a stolen password plus a social-engineered MFA code to authenticate. Conditional access policies that restrict which devices and networks can authenticate to SSO platforms reduce the window of opportunity after credentials are compromised. Session token limits prevent an authenticated session from persisting indefinitely after initial access.

Least-privilege access design limits the blast radius. In ADT’s case, the compromised Okta account had access to Salesforce. The question worth asking of any organization is: which applications does each employee role actually need access to, and is SSO access scoped accordingly? An employee who needs email and scheduling access does not need Salesforce. An employee who needs Salesforce does not necessarily need the HR platform. Access scoping does not prevent the initial compromise, but it determines how much data leaves with the attacker.

The vishing and social engineering threat landscape in 2026

Breaches involving a human element
68%
Social engineering, phishing, and credential abuse account for most confirmed breach paths, not technical exploits
Average cost of a social engineering breach
$4.5M+
Breaches initiated through social engineering consistently exceed the cross-industry average total cost
ShinyHunters confirmed victims
30+
Major organizations breached using SSO vishing and SaaS data exfiltration since 2024, spanning multiple industries
IT professional reviewing security settings dashboard showing MFA and threat detection status representing proactive IT security management for Los Angeles businesses

Three Questions Los Angeles Businesses Should Ask About Their Current Setup

The ADT breach does not require an extensive response to be useful as a prompt. It requires three specific questions answered honestly about your current environment.

First, what type of MFA is protecting your SSO accounts? If the answer is push notifications to a phone, that is standard MFA, and it does not stop a vishing attack that asks the employee to approve the push or read the code aloud. Hardware security keys and passkeys eliminate this vulnerability because the second factor cannot be phished or socially engineered. If you do not know what type of MFA is in place, that is the first thing to find out.

Second, does your organization have a documented and trained procedure for handling calls claiming to be from IT support? Not a policy in a handbook nobody reads. A trained procedure that employees have practiced, that includes a specific callback number, and that explicitly states the rule: legitimate IT support will never ask for your credentials or MFA codes over the phone. If that procedure does not exist, you are relying on each individual employee’s judgment in a moment of social pressure, against attackers who practice this for a living.

Third, is SSO access scoped to what each employee role actually needs, or does an Okta compromise in your environment mean full access to every connected application? Answering that question requires a review of your SSO configuration and the applications attached to each access profile. Most organizations that have not done this review will find the access is broader than necessary. Narrowing it is not a major project. Not doing it is a major risk. For any organization reviewing IT security in Los Angeles, access scoping is where that review should start.

The calls are indistinguishable from legitimate IT support. Professional tone, internal terminology, a believable issue requiring urgent resolution. Training employees to verify every inbound request through a separate channel is not paranoia. It is the correct response to a documented, active threat campaign.

Security analysis of ShinyHunters vishing campaigns, 2025 to 2026

What IT Accuracy Does for Los Angeles Businesses Facing This Threat Environment

Most of the organizations ShinyHunters has breached had competent IT infrastructure. The gap was not technical capability. It was the specific controls and procedures that address human-layer attacks. That is where the work actually is for most Los Angeles businesses right now.

The immediate priority is MFA configuration review. Push-notification MFA is better than no MFA. It does not stop vishing. Identifying which accounts are protected by which MFA type, and prioritizing the upgrade path for high-value SSO accounts, is the highest-leverage security action most organizations can take in the next 30 days.

The second priority is the verification procedure. Writing and training a clear, specific protocol for handling calls claiming to be IT support, including what to do, who to call back, and what information to never provide over an inbound call, addresses the human element that technical controls cannot fully compensate for.

The third priority is access scoping. SSO is a productivity tool that also functions as a security perimeter. The configuration of which roles access which applications determines the blast radius of any future compromise. That scoping should reflect current roles and actual application needs, not the default configuration from when SSO was first deployed.

How IT Accuracy protects Los Angeles businesses from vishing and SSO attacks

Security controls built for the threat environment your organization actually operates in

IT Accuracy works with Los Angeles businesses to close the specific gaps that vishing attacks exploit: MFA configuration, access scoping, employee verification procedures, and the monitoring that catches unusual authentication activity before data leaves the environment.

If your organization runs Okta, Microsoft Entra, or Google SSO connected to Salesforce, Microsoft 365, or other SaaS platforms, we can assess your current exposure and implement the controls the ADT incident illustrates were missing.

Phishing-resistant MFA assessment and implementation for SSO-connected environments
Employee security awareness training with specific vishing and social engineering scenarios
SSO access scoping review to limit blast radius if credentials are compromised
Conditional access policy configuration for Okta, Microsoft Entra, and Google
Authentication monitoring and anomaly detection to flag unusual login patterns
Incident response planning so your team knows exactly what to do when a call like this happens

What to Do Before the Next ShinyHunters Campaign

ShinyHunters is an active group. They have operated through law enforcement pressure, membership changes, and public attention without stopping. Several members have been arrested and sentenced. The group has continued operating. ADT is not their last target. Businesses in Los Angeles that wait for the next high-profile breach to review their posture are making a reactive choice in a threat environment that does not pause.

The three actions with the highest return in the shortest time are all within reach for any organization. Confirm your MFA type on SSO accounts and begin upgrading push-notification MFA to phishing-resistant alternatives on your highest-value accounts. Write and distribute a one-page verification protocol for IT support calls. Review your SSO access configuration and remove application access that does not correspond to current role requirements.

Vishing Social Engineering Cybersecurity Los Angeles Data Breach Okta Security Multi-Factor Authentication Salesforce Security Managed IT Los Angeles Managed IT Services SSO Security
IT Accuracy

Source: BleepingComputer, April 24 2026