From Email to Exfiltration: How Threat Actors Steal ADP Login and Personal Data

Some client companies were not careful enough with these codes and posted them publicly on their websites. Yes, the software exports to several popular payroll applications, including several different versions of ADP software. The DOJ complaint also alleges Sullivan deceived the new management of the company about the incident after it hired a new CEO in 2017.

What should affected users do?

• Broadcom and ADP discovered in December 2024 that stolen data had been published online, but it wasn’t until May 12, 2025 that Broadcom received full clarity on what data had been compromised.
• At the time of the breach, Broadcom was already in the process of transitioning away from both ADP and BSH, but crucially, the switch had not been finalized when attackers struck.
• ADP has thus far not released information on how many records were put at risk by the successful hack against them, and security experts stress that ADP itself was not hacked.
• While Broadcom no longer contracts with ADP or BSH for its payroll operations, the fallout from the breach will likely reverberate for months as investigations continue and affected individuals take precautions against potential identity theft or social engineering attempts.
• A ransomware attack on a Middle Eastern payroll services provider has resulted in a significant data breach affecting employees of semiconductor giant Broadcom.

Welcome to Daily Security Review, the premier source for news and information on security threats, Ransomware and vulnerabilities. Broadcom serves some of the world’s largest companies across key industries such as technology, finance, and telecommunications—its clients include Apple, Samsung, Cisco, and British Airways, among others. Broadcom and ADP discovered in December 2024 that stolen data had been published online, but it wasn’t until May 12, 2025 that Broadcom received full clarity on what data had been compromised. The breach stems from a supply chain compromise that ultimately led to sensitive employee information appearing on the dark web. Our specialists are ready to guide you through the HR options and find the perfect fit for your business.

Once hackers gain access to the data https://rpmlogix.rcreative.marketing/what-is-fob/ elements required for registration, they are able to create fraudulent ADP accounts within ADP’s self-service portal for customer employees that had not previously registered for the portal. The company says it provides ADP payroll services customers with a customer-specific link and a static code that are both required for their employees to register for the portal. Tax information for customers of ADP payroll services is now in the hands of hackers who could use the information to make fraudulent claims for tax refunds. Using personal information gathered from other sources, hackers were able to round up data from about 724,000 compromised taxpayer accounts. Identity thieves stole tax and salary data from payroll giant ADP by registering accounts in the names of employees at more than a dozen customer firms, KrebsOnSecurity has learned.

It says affected stores may have had customer data exposed, including basic contact information, such as email, name, and address, as well as order details, like products and services purchased. InstaCart, a grocery and home essentials delivery service, denies a data breach is the source of customer information being sold online on hacker forums. By way of inserting a malicious code into the software, hackers managed to access information provided by customers making purchases. The website with the most passwords stolen was Facebook with 318,000, however the hacked company that possesses the biggest risk to businesses is ADP, which is a popular payroll management app. With over 640,000 client companies, this had potential to be a catastrophic security breach of employee ID information. In that instance the hackers retrieved W2 information and filed fake tax returns.

• ADP spokesperson told The Register “only a small subset of ADP clients” were affected by the breach at BSH, and only “certain countries in the Middle East” were involved.
• The breaches occurred after modifications made to its mobile app exposed to the risk of unauthorized access the information of 21,541 GrabHitch drivers and passengers.
• ADP has not explicitly mentioned reaching out to affected users.
• An employee must provide their unique registration code and personal information, including Social Security Numbers and birth dates, to access their organization’s ADP site.
• Once the user clicks the URL, they are redirected to a phishing page shown in Figure 2 that mimics the legitimate ADP website, making it appear authentic to the user’s eyes.
• The website with the most passwords stolen was Facebook with 318,000, however the hacked company that possesses the biggest risk to businesses is ADP, which is a popular payroll management app.

Norton Rose Fulbright is currently helping multiple companies investigate and respond to these types of incidents. Create your account and adp hack connect with a world of communities. I checked my bank account this morning and i had no deposit. The CybersecurityUpdate Email Newsletter is your essential source for the latest in cybersecurity news, threat intelligence, and risk management strategies.

ADP Vendor Risk Report

The first step involves setting up the account, which requires social security numbers and other personal data (i much of which can be obtained from an ADP paycheck) that hackers are very good at getting their hands on. Account Data Processing or ADP is the world’s largest HR firm, handling tax and payroll accounts for more than 640,000 companies that collectively employ millions of people. ADP is the world’s largest HR firm, handling tax and payroll accounts for more than 640,000 companies that https://medical.unib.ac.id/1-9-the-adjustment-process-financial-and/ collectively employ millions of people. The first step involves setting up the account, which requires social security numbers and other personal data that hackers are very good at getting their hands on.

Self-Replicating Worm Infiltrates npm Supply Chain, Compromises 187 Package

HR in any organization should be prepared to take action if employees are affected. And, whatever happened to all of the “know your customer” rules that banks are supposed to have before opening up such an account to receive the money? I’ve been direct depositing to the same account for at least 10 years, and filing late in the year, you would think the IRS would take note of that before blindly sending a direct deposit to some thief’s account. It may be possible that your company is one of the hundreds of thousands that rely on ADP for this function. A report naming 69,087 public servants including their personal and banking details was accidentally emailed to the wrong federal departments. Such data, according to the ADP, were not harvested from its systems, but must have already been in the hands of the crooks.

Submit a Support Inquiry

Threat actors are continually trying to find new (and old) ways to trick users into helping deploy malware into enterprise environments. When the Windows Command Script file is opened in a text editor, we can see more of the malicious intent. Examining the LOGO file using hex dump, we can see that this is an executable file as evidenced by the magic bytes “MZ” in the file header. It should also be noted that there is no link to click at the bottom of the file as was indicated in the warning on the download page.

“BSH/ADP have been working with ADP and outside experts to investigate the incident and take the necessary steps to harden BSH’s environment to protect from similar attacks. Local law enforcement and data protection authorities have been notified.” However, Krebs notes that more could be affected by the ADP Payroll Services data hack. For everything included in our Complete package plus enhanced HR support and perks for you and your employees. Trusted by over 900,000 small business clients Join the 4,000+ organizations that use KnowBe4 and make your employees your first line of defense.

Additionally, many companies post unique ADP identification codes publicly for the convenience of their employees. Unfortunately, due to the multitude of breaches that have occurred over time, such personal information is widely available for purchase by malicious actors on the dark web and the black market. Perfect for IT security professionals and business leaders focused on protecting their organizations. While Broadcom no longer contracts with ADP or BSH for its payroll operations, the fallout from the breach will likely reverberate for months as investigations continue and affected individuals take precautions against potential identity theft or social engineering attempts. For other enterprises, the incident serves as a potent reminder of the limitations of perimeter-based security and the need for a “trust but verify” approach—even when delegating critical HR and payroll processing to established third parties.

The process of transitioning payroll providers, already complex given compliance and regional legal considerations, was further complicated by the lack of timely breach disclosure from BSH and ADP. The group, which has been active in targeting third-party service providers, managed to exfiltrate employee data as part of its campaign. “The data taken by the criminal actor was in an unstructured format, so definitively determining which employees were impacted and, for each employee, which data fields were disclosed, was a lengthy process for BSH/ADP,” read an internal email shared by The Register.

According to BuzzFeed News, sellers on two dark web stores are hawking information from 278,531 InstaCart accounts. In the email, a hacker posing as Spiegel requested payroll information for existing and ex-employees. The bottom line is keep HR, as well as all employees, educated and security systems up to date. ADP, a provider of payroll, tax, and benefits administration, was hacked. Similarly, earlier this year the University of Virginia reported that hackers broke into a component of their HR system and attained access to sensitive employee information such as W2s and banking details.

When the file has the same name as a folder in the archive, the contents of the folder (which may be malicious) can be triggered to execute when the user clicks on the benign file. The vulnerability allows for arbitrary code to be executed when a user tries to open a benign file (here the PDF file) in the archive. It also claims that the user will need to confirm that they have reviewed the terms by clicking on a link at the end of the file. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. A comprehensive legal guide to Türkiye’s business environment, investment climate and regulatory landscape for companies and investors entering the Turkish market.

After entering the user ID and password, the user will be redirected to the phishing page shown in Figure 3. Once the user clicks the URL, they are redirected to a phishing page shown in Figure 2 that mimics the legitimate ADP website, making it appear authentic to the user’s eyes. This pressure tactic is designed to make the user click the malicious URL without thinking. To help employees identify phishing threats and become the first line of defense against threat actors, we broke down this real-life example. Nor will DataBreaches ever pay anyone for data or to interview them.

ADP, on the other hand, noted that certain companies posted their unique ADP corporate registration codes to an unsecured website. ADP is sending letters to all employees affected and offering a free year of ID theft protection,” the entry said. This vendor risk report is based on UpGuard’s continuous monitoring of ADP’s security posture using open-source, commercial, and proprietary threat intelligence feeds. Poor password management can put your business at serious risk.