If you’ve ever gotten a breach notification from a company you don’t remember signing up for, you’re not imagining it, and you’re not alone. The honest answer to “why was my data in a breach I never signed up for” is usually that your information was sitting in a vendor’s system — a customer support platform, a data broker, a partner database — that you never directly interacted with at all.
In 2026, several of the year’s largest breaches followed exactly this pattern. A single phone call to a single employee at ADT, Charter Communications, or Cisco was enough to expose millions of records, including people who had no idea their data was anywhere near that company.
A Phone Call, Not a Hack
The word “breach” tends to conjure an image of hooded figures cracking firewalls. That’s not what happened in any of these 2026 incidents. What happened was simpler and, in some ways, harder to defend against: someone called an employee on the phone and talked their way past identity verification.
This technique is called vishing — voice phishing. An attacker calls, often posing as IT support or a help desk, and convinces an employee to hand over a one-time passcode, approve a login prompt, or reset credentials on a single sign-on (SSO) account. Once that one account is compromised, the attacker isn’t breaking into the company’s network from the outside. They’re walking in through the front door, using the same identity an actual employee uses every day.
That distinction matters. Firewalls, intrusion detection, and patched servers don’t stop an attacker who has valid login credentials and valid multi-factor approval, because to every system in the building, they look like the employee they impersonated.
What Actually Happened at ADT, Charter, and Cisco
ADT
In April 2026, attackers identified as ShinyHunters used a vishing call to compromise one ADT employee’s Okta single sign-on account. That single compromised account opened the door to ADT’s Salesforce environment, where customer data lived.
ADT detected the intrusion, terminated the attacker’s access, and launched an investigation — but by then, the data had already been copied out. When ADT declined to pay a ransom, the attackers published an 11 GB archive publicly. Have I Been Pwned later confirmed roughly 5.5 million affected individuals, with exposed data including names, phone numbers, addresses, and in some cases dates of birth and partial Social Security numbers.
Charter Communications / Spectrum
Around April 1, 2026, a similar vishing attack compromised an employee’s Microsoft Entra account at Charter Communications, the company behind Spectrum. That compromised account, like ADT’s, opened access into the company’s Salesforce data.
The mechanism is the same story with different brand names: one social-engineered phone call, one compromised identity provider account, one path into a system holding customer records.
Cisco
At Cisco, an employee fell for a vishing attack that gave attackers access to user data, including email addresses and phone numbers. Again, the entry point wasn’t a software vulnerability. It was a conversation.
These three incidents, in the same year, at companies with serious security budgets and security teams, make a point worth sitting with: identity is now the primary target, not code.
Why a Phone Call Can Expose People Who Were Never Customers
Here’s the part that surprises most people: in incidents like these, the affected individuals aren’t only direct customers of the breached company. They can include people whose information ended up in that company’s systems through a completely separate relationship.
Salesforce and similar platforms often hold data from multiple sources. A company’s customer relationship management system might contain its own customers, plus leads purchased from a data broker, plus contact records shared by a business partner, plus records inherited from an acquisition. One compromised login can expose all of it at once.
B2B data sharing multiplies the blast radius. If Company A shares a dataset with Company B for a marketing partnership, a breach at Company B can expose Company A’s customers — people who never agreed to anything with Company B and may never have heard of it.
Data brokers compile records about people who never opted in anywhere. Some of the personal information sitting in a breached database was never voluntarily handed over to that specific company at all; it was purchased, scraped, or aggregated from other sources. For more on how that ecosystem works and how to push back on it, see our post on opting out of data brokers.
This is the mechanism behind a breach notification that makes no sense at first glance. You never signed up for ADT. You never had a Charter account. But your name, phone number, or address still ended up in the leaked archive, because some company you did business with — or some broker you never dealt with directly — passed your information along a chain that eventually ran through a vendor’s compromised system.
Why This Is Called “Third-Party Risk”
Security teams use the term third-party risk to describe exactly this exposure: the risk that your data is only as safe as the weakest vendor, partner, or contractor that touches it, regardless of how careful the company you actually trust has been.
A company can have excellent internal security and still suffer a major breach, because the breach didn’t happen to them directly — it happened to a vendor they share data with, or a platform like Salesforce that multiple companies plug into. The 2026 wave of vishing-driven breaches across unrelated industries (security systems, telecom, networking) shows how widespread this exposure is. These companies don’t compete with each other and don’t share infrastructure in any obvious way, yet they were hit by the same attack technique within the same stretch of months.
The practical takeaway isn’t that any one of these companies was unusually careless. It’s that every additional company holding your data is another vendor, another employee, another phone line that an attacker only needs to compromise once.
How to Check If Your Data Was Exposed
You don’t need to wait for a notification letter to find out if you were affected.
- Search your email at Have I Been Pwned. It indexes the ADT breach and many others, and will tell you which known incidents included your address.
- Check for direct notifications. Companies are generally required to notify affected individuals, though the timeline and thoroughness vary, so don’t rely on this alone.
- Search your name alongside the company name plus “breach” in a search engine. Class-action notices and news coverage sometimes surface exposure that hasn’t been formally communicated to you yet.
- Assume exposure if you’ve ever done business with a company in the same sector, even indirectly. If you’ve never been a direct ADT customer but a contractor, landlord, or previous occupant of your address used ADT services, your information may still be in their system.
What to Do If You Were Affected
Treat exposed personal details as permanently public, not recoverable. Unlike a password, your name, address, phone number, and date of birth can’t be reset. The realistic goal isn’t undoing the exposure — it’s limiting what an attacker can do with it.
Watch for follow-up phishing and vishing attempts. Breached contact information is frequently used to run a second wave of scams against the same victims, often referencing real details from the leak to sound credible. If someone calls citing your real address or account history, that’s a sign they may have bought your data from this exact breach, not proof they’re legitimate.
Freeze your credit if Social Security numbers were involved. The ADT breach reportedly exposed partial Social Security numbers for some individuals. A credit freeze is free and is the single most effective defense against new-account fraud.
Change passwords and enable two-factor authentication on accounts tied to the exposed identity provider. If a breach involved an SSO or identity platform like Okta or Entra, check whether any of your own accounts are linked to a similar single sign-on setup, and add multi-factor authentication wherever it’s missing.
Why Minimizing Vendors Matters More Than People Realize
Most privacy advice focuses on what you post, what permissions you grant, and what you click. Vendor risk is different — it’s exposure you accumulate passively, just by being a customer of companies that, in turn, do business with other companies.
You can’t fully control how many vendors a company you trust shares your data with. But you can control how many companies hold your data directly in the first place. Every account you create, every form you fill out, every app you grant access to is another node in a network that an attacker only needs to breach once, anywhere along the chain, to reach you.
This is part of why being deliberate about which apps and services hold your personal files and memories is worth more than a one-time privacy setting check. A photo storage app, a journal app, or a document scanner that quietly shares data with marketing platforms, analytics vendors, or data brokers becomes another link an attacker could exploit — even if the app itself is never directly hacked.
daftei is built around the opposite assumption: fewer places holding your data means fewer places that can leak it. Your files are encrypted with AES-256 at rest and TLS 1.3 in transit, daftei never sells data, never trains third-party AI models on your content, and never runs ads that would require sharing your information with ad-tech vendors. There’s no data broker relationship to worry about and no Salesforce-style shared CRM holding your files alongside unrelated companies’ customer lists, because the business model doesn’t depend on handing your data to anyone else.
The Pattern Will Repeat
ADT, Charter, and Cisco aren’t unrelated, isolated incidents — they’re three data points in the same trend. Attackers have learned that the cheapest way into a well-defended company isn’t a zero-day exploit, it’s a convincing phone call to one tired employee on a Tuesday afternoon. That technique doesn’t care what industry the target is in, and it will keep working until employee verification processes catch up to it.
You can’t fix another company’s phone verification process. What you can do is reduce how many companies are in a position to leak your data in the first place, watch for the secondary phishing wave that follows every major breach, and treat every unexpected breach notification as a reminder to check, rather than a reason to shrug.