ADT, the alarm company, breached … again

Posted on by tech

Hello folks,

For the third time in two years, ADT has apparently been breached.

The Jared Rimer Network released an intermediate podcast on our RSS feed, numbered 271A, to talk about this.

The initial news came from Kim Komando’s newsletter, where she often brings large company breaches like this to the public’s attention.

That podcast was released on the 27th, and at that time, we had not yet read the full articles. They have now been reviewed, and here are my thoughts along with what we currently know.

We discussed the initial report and Kim Komando’s write-up in TSB Podcast 271A. This article takes a deeper look at the reporting, verifies key claims, and raises additional questions based on what has now been reviewed.

The big question people may ask is: why did the podcast mention a 10 million number?

That is a fair question.

One of the two articles from Bleeping Computer references a claim by the group ShinyHunters that 10 million records were stolen. However, that number does not appear to be accurate when compared with other sources.

We looked at sites that independently verify these claims.

  • Have I Been Pwned, which appears to have undergone a redesign, still allows you to check if your email address is part of a breach. The “Who’s been pwned” section appears navigable with headings and tables, and from preliminary testing, looks to be accessible with screen readers like JAWS. The number listed in the table for ADT is 5.5m.
  • XposedOrNot, another resource we have covered on the blog, lists ADT at 5,501,080 records.

With both sources showing numbers in the 5 million range, the 10 million claim appears to be overstated.

Chew on this fact, which I learned while reviewing the articles:

Founded in 1874 as American District Telegraph, ADT is the oldest and largest home security company in the United States, currently providing monitored security and smart home solutions to over 6 million residential and small-business customers.

A company with that kind of history—and scale—should be setting the standard, not appearing in breach headlines repeatedly. I understand getting breached once; that can happen to anyone. The repeated nature of these incidents is what is concerning, especially for a company that has been in business for approximately 151–152 years.

Between the reporting, this paragraph is important:

‘The investigation confirmed that the information involved was limited to names, phone numbers, and addresses. In a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included.’

ADT has been in business since 1874, long before collecting data such as birthdates or partial Social Security numbers was even possible. That raises a fair question: how much of this data is actually required to provide security services, and how much of it is simply being collected because it can be?

That leads to several more important questions:

  • Why is this level of personal data being collected at all?
  • If it is collected for verification purposes, why is it retained afterward?
  • What services actually require birthdates or partial Social Security numbers?
  • What is the data retention policy once someone is no longer a customer?
  • Does this dataset include non-customers?
  • And most importantly, how does any of this information improve the security services ADT provides?

These are questions we may never get answers to.

The article continues:

‘Critically, no payment information — including bank accounts or credit cards — was accessed, and customer security systems were not affected or compromised in any way.’

That is good to hear, but it does not eliminate the core issue. Names, phone numbers, addresses, dates of birth, and partial SSNs are still highly sensitive. Exposure of that data creates real risk, regardless of whether payment systems were involved.

What has not been emphasized enough is how access was gained.

This reportedly started with a simple phone call. Someone impersonated a trusted entity and used voice phishing to gain entry. From there, single sign-on credentials were used to move through internal systems without detection. No sophisticated exploit—just social engineering.

What also was not covered in the podcast is that the dataset is reportedly around 11GB in size, and images circulating online appear to show samples of the data. Tools exist to extract information from those images, but that is outside the scope here. These images are included in the Bleeping Computer article and can be analyzed with the right tools.

One of the reports also indicated that a message was posted warning ADT to respond by a certain date, or the data would be leaked.

ShinyHunters, the group taking responsibility, has also been linked to other incidents. These include:

  • McGraw Hill, which we covered on the blog
  • Medtronic, which we link directly from Bleeping Computer
  • And additional claims involving companies such as the European Commission, Rockstar Games, 7-Eleven, Carnival, Zara, and Udemy

Some of these company breaches may be also covered on the blog, so check that out by searching them out using the blog search tools.

That is a significant number of organizations across multiple industries in a relatively short period of time. While the exact timeframe is not fully clear, Shiny Hunters has been active since around 2020, appearing on and off in connection with major breaches. It is also worth noting that groups like this often change names or operate under different identities, meaning they could be active longer than publicly documented. This type of behavior is common in the cybercrime landscape, and people should be aware of it.

According to Kim Komando’s write-up, she recommends changing passwords across platforms such as ADT, Ring, and SimpliSafe. While that is a cautious approach, I am not fully ready to make that recommendation at this time. However, if credentials are reused across services, updating passwords is always a good idea.

What to Read

It would not be surprising to see additional coverage from outlets such as The CyberWire or Scott Schober’s podcast if that has not already occurred.

Other comments

Please understand that I am not a customer of these services, but I want to make sure that the information gets out.

This situation continues to highlight a larger issue: companies collecting—and retaining—more data than appears necessary to provide their services.

We cannot control what companies do, but we can ask questions, limit what we share, and stay aware.

I hope this is of value. Please stay safe, and continue doing what you can to protect your information.

Discover more from Jared's Technology podcast network

Subscribe to get the latest posts sent to your email.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts