Three breaches in ten days. In two of them, the attacker never wrote a line of code.

Short answer

Between April 17 and May 2, 2026, ADT, Medtronic, and Trellix each confirmed unauthorized access to internal systems. ShinyHunters claimed ADT and Medtronic. The entry point in both confirmed cases was a phone call to one employee. No malware. No exploit. A conversation.

What happened

ADT detected the intrusion on April 20. The company disclosed on April 24 via SEC Form 8-K. The method, confirmed by ShinyHunters to BleepingComputer: a vishing call to an employee, a compromised Okta SSO account, then a pivot into Salesforce. ADT contained the breach the same day, brought in external forensic investigators, and notified the FBI. Confirmed data includes names, phone numbers, and addresses. A smaller subset includes dates of birth and the last four digits of a Social Security or Tax ID number. No payment data. No access to customer security systems. Have I Been Pwned indexed 5.5 million unique email addresses from this incident. ADT has not confirmed ShinyHunters’ claimed 10 million records. The negotiation deadline was April 27. It passed. ShinyHunters said ADT refused to pay.

This is ADT’s third confirmed breach in under twelve months. August 2024. October 2024. April 2026.

Medtronic disclosed the same day, also via Form 8-K. ShinyHunters listed the company on April 17 and 18 with a negotiation deadline of April 21. Medtronic confirmed unauthorized access to corporate IT systems and stated that product systems, patient safety, and clinical operations were not affected. The company has not confirmed ShinyHunters’ claimed 9 million records, which allegedly include Social Security numbers, dates of birth, medical information, and government identification documents. The listing disappeared from the ShinyHunters site after the deadline passed.

Trellix disclosed on May 2. Unauthorized access to a portion of internal source code repositories. External forensic experts engaged. Authorities notified. The company states there is no evidence the code was modified and no evidence the release pipeline was affected. No customer data compromise confirmed. The investigation is active. Trellix was formed in 2022 from the merger of McAfee Enterprise and FireEye.

The attack pattern behind two of the three

The method ShinyHunters used against ADT and Medtronic is consistent across their documented targets. A vishing call. An employee who believes they are speaking with IT or a vendor. A credential provided under pressure, or an MFA push approved in real time. The attacker enters with a legitimate session. Every downstream system sees a normal login.

Standard TOTP-based MFA does not stop this. The code is valid. The session is authentic. The employee handed both to someone they believed was on their side. Mapping which credentials open which systems before an incident occurs is the same analysis an attacker runs before placing the call. The only authentication method that resists real-time vishing is a hardware FIDO2 key or a passkey bound to the device. The cryptographic proof is tied to the legitimate origin. If the attacker is not on the real site, the authentication fails regardless of what the employee does.

ADT knew this after August 2024. They knew it again after October 2024.

Why Trellix is a different kind of problem

When ADT loses names and phone numbers, the harm is documented and bounded.

When a cybersecurity company’s source code is accessed, the harm is longer and quieter. An attacker reading that code is not looking for customer records. They are looking for gaps in the detection tools their future targets rely on for defense. What signatures miss. What behavior goes unlogged. Where the tooling is blind. FireEye went through a comparable incident in December 2020, when attackers accessed red team tools and operational documentation. The full scope of what was learned from that access was never public.

Trellix has stated there is no evidence of modification and no pipeline impact. Those statements address what was done with the access. What was understood from it remains an open question.

What it means by audience

For lawyers and NGO workers, the authentication stack is the perimeter. Okta and Salesforce are standard infrastructure in professional environments. Both were accessed in confirmed ShinyHunters attacks using the same method. If your team approves MFA pushes on demand or reads codes over the phone, a single well-targeted call opens the same door. The discipline required to protect communications between a lawyer and a client under active legal pressure extends to the systems those communications run through.

For military families and anyone in an active separation proceeding, the ADT breach is immediate. Names, home addresses, and in some records partial Social Security data are now in an extorted database that ADT declined to pay for. What that exposure means for someone whose address is operationally sensitive is not theoretical. The dataset exists. Check Have I Been Pwned for your email address. Factor the exposure into what you share and with whom, starting now.

For journalists, the Trellix incident is the slower concern. If detection tooling you rely on was produced by a company whose source code was accessed, the integrity of that layer is an open question until the forensic investigation closes. The documented pattern of communications infrastructure failing journalists consistently shows the same structure: the breach came from a layer assumed to be safe. For a full operational baseline, see our digital security guide for journalists.

Frequently asked questions

Should ADT customers do anything now?

Check Have I Been Pwned for your email address. If you are in the dataset, assume your name, phone number, and home address have been exposed. Be skeptical of any call or email claiming to be from ADT in the coming weeks. Phishing campaigns that use breach data to impersonate the breached company are common in the weeks following disclosure. ADT will contact affected customers directly.

Does the ADT breach affect home security systems?

No. ADT confirmed that customer security systems, monitoring infrastructure, and home access controls were not affected. The breach was limited to corporate IT systems holding customer account and contact data. The operational systems that control sensors, alarms, and access were not part of the compromised environment.

Is TOTP-based MFA now useless?

No. It stops the majority of automated attacks and credential stuffing. What it does not stop is real-time social engineering, where an attacker walks a victim through authentication live on a call. For accounts that protect sensitive systems or client data, hardware FIDO2 keys or device-bound passkeys are the only methods that are cryptographically resistant to this vector. TOTP codes, SMS, and push approvals all require the human to be the last line of defense.

What makes the Trellix breach harder to assess than the other two?

With ADT and Medtronic, the question is what data was taken. The exposure is defined and finite. With Trellix, the concern is what was understood about the codebase. Detection logic, behavioral rules, and signature coverage inside that source code could give a sophisticated attacker an asymmetric advantage over organizations running those tools. Trellix has confirmed no modification and no pipeline impact. What the attacker learned from read access to the code does not have a public answer yet.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.

Similar Posts