ShinyHunters posted Charter Communications on its dark-web extortion site on May 26, 2026, one day before a ransom deadline expired. The criminal group claimed to hold between 40 million and 42 million customer records belonging to Spectrum, Charter’s consumer brand and one of the largest cable and broadband providers in the United States. Have I Been Pwned (HIBP) confirmed 4.9 million affected accounts when it added the breach to its database on May 28, 2026. Cybernews, which reviewed a sample of the leaked dataset, counted at least 13 million individuals inside a 1.5 GB compressed archive. Charter served more than 32 million customers across 40 states at the time of the breach.
No malware was used. No zero-day vulnerability was exploited. The attackers made a phone call.
The Breach in Numbers
The Charter Communications incident is significant not just for its scale but for the gap between what the company acknowledged and what the attackers claimed. Charter confirmed a cybersecurity incident but said “no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated.” ShinyHunters disputed that directly, claiming CPNI was included in the haul alongside standard contact and account data.
Three separate figures have emerged for the size of the breach. HIBP’s 4.9 million figure represents unique email addresses it could verify. Cybernews counted 13 million individuals in a specific dataset it examined, noting that the group’s headline figure of 42 million likely included heavy duplication across records. The discrepancy is common in large-scale SaaS breaches where CRM systems store multiple entries per customer across different interaction types.
| Metric | Figure | Source |
|---|---|---|
| HIBP confirmed accounts | 4.9 million | Have I Been Pwned, May 28, 2026 |
| ShinyHunters claimed records | 40–42 million | Threat actor leak site |
| Cybernews verified individuals | 13+ million | Cybernews dataset review |
| Employee records with job titles | ~85,000 | HIBP breach entry |
| Customer support tickets (reported) | ~10 million | Secondary breach analysis |
| Charter customer base | 32+ million | Charter Communications |
| States affected | 40+ | Charter service footprint |
| Ransom deadline | May 27, 2026 | ShinyHunters leak post |
Data types confirmed in the breach include customer names, email addresses, physical addresses, phone numbers, device type, service plan information, and support ticket contents. The inclusion of support ticket data is particularly sensitive: those conversations often contain troubleshooting details, account history, and communications that customers expected to remain private.
How the Attack Unfolded: One Phone Call, Millions of Records
ShinyHunters said the initial access occurred on April 1, 2026, through vishing, a voice-based social engineering technique where attackers impersonate trusted parties over the phone to extract credentials or gain account approvals. A member of the group called a Charter employee, convinced them to cooperate, and compromised a Microsoft Entra account. From there, the attackers moved laterally into Charter’s Salesforce environment and began exporting customer records.
The attack relied entirely on human manipulation, not technical exploitation. Charter’s perimeter defenses, endpoint protection tools, and network monitoring were irrelevant once an employee approved access at the identity layer. The attackers reportedly did not install malware, move files through unusual network paths, or trigger alerts that would have flagged a conventional intrusion. They logged in as a legitimate user and left through the front door carrying customer data.
Charter did not publicly disclose the incident until May 26, 2026, the day before ShinyHunters’ ransom negotiation deadline. That 55-day window between initial compromise and public disclosure is consistent with a pattern the group has used repeatedly: gain access, exfiltrate data quietly, then surface with a payment demand timed to maximize pressure. When Charter did not meet the deadline, ShinyHunters published samples of the stolen data.
Microsoft Entra and Why SSO Is a Primary Attack Target
Microsoft Entra is Microsoft’s cloud identity and access management platform, used widely across enterprise environments for single sign-on (SSO) and multi-factor authentication (MFA). It is a high-value target for attackers precisely because of what it controls. Compromising a single Entra account can inherit access to dozens of downstream business applications tied to that identity, including cloud storage, CRM systems, internal wikis, email, and HR platforms.
In the Charter case, the Entra foothold unlocked access to Salesforce, which Charter uses as its primary customer relationship management system. Salesforce centralizes contact records, account history, service interactions, and support communications, making it one of the most data-rich applications in any enterprise environment. When attackers can reach a Salesforce org with administrative or export-level permissions, they can pull structured data at scale, often in minutes.
The combination of vishing and Entra compromise has become a signature technique for ShinyHunters. The group has used device-code phishing, a technique where attackers trick employees into authenticating on attacker-controlled devices, alongside traditional voice-based impersonation. Both methods bypass conventional security controls because the authentication appears legitimate: a real employee, on a real network, approving access that the identity platform then honors.
“ShinyHunters is a cybercriminal group specializing in large-scale data breaches and extortion. Individuals should always verify urgent or unusual requests through another communication method before responding.”
FBI, June 2026 public warning on ShinyHunters
Charter’s Response and the CPNI Dispute
Charter’s public statement acknowledged the incident while disputing its severity. The company said no CPNI was exfiltrated, a crucial distinction under FCC rules. Customer Proprietary Network Information is a category of telecom-specific data that includes call records, service subscriptions, and usage patterns. Carriers face strict FCC obligations to protect CPNI, and unauthorized disclosure can trigger enforcement actions and financial penalties.
ShinyHunters explicitly contested Charter’s CPNI claim. The group said its dataset did include CPNI-classified information. Without independent verification of the stolen data’s full contents, the dispute is unresolved. Cybernews’ review of the publicly released samples did confirm the presence of service plan information, which can overlap with CPNI depending on how narrowly the FCC’s definition is applied.
Charter confirmed it was alerting authorities. No specific FCC enforcement action or class action litigation had been publicly announced as of late May 2026, though law firm Scott+Scott opened intake for potential affected customers. The company notified HIBP, whose breach entry became the authoritative public record for the 4.9 million figure. An estimated 85,000 records from an internal employee directory were also included in the leaked material, with job titles attached.
“Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information was exfiltrated.”
Have I Been Pwned, breach entry for Charter Communications, May 28, 2026
ShinyHunters: History, Scale, and Criminal Infrastructure
ShinyHunters emerged publicly in May 2020, initially advertising stolen databases on dark-web forums. In its early years, the group focused on credential theft and selling stolen records. By 2024, it had shifted toward a more sophisticated model: gaining access to enterprise cloud environments, exfiltrating at scale, and then using “pay or leak” extortion to extract ransoms directly from the affected organizations.
The group is believed to be linked to The Com, a loose network of English-speaking cybercriminals known for social engineering, SIM swapping, and corporate access fraud. Multiple members have been publicly identified and charged by US law enforcement over the years, though the group continued operating under the same brand and tactics. The FBI issued a specific public warning about ShinyHunters in June 2026, urging individuals and organizations to verify unsolicited communication requests through independent channels.
The group’s 2024 campaign targeting organizations using Snowflake data warehouses produced some of the largest individual breach records in history. Ticketmaster was the most visible victim, with ShinyHunters claiming 560 million customer records. AT&T disclosed a breach affecting more than 110 million customers tied to the same campaign. Santander and Qantas, which reported approximately 5.7 million affected customers in 2025, also appeared in attributed breach reporting.
| Breach | Year | Claimed Scale | Attack Method |
|---|---|---|---|
| Ticketmaster | 2024 | 560 million records | Snowflake credential theft |
| AT&T | 2024 | 110+ million customers | Snowflake credential theft |
| Santander | 2024 | Multiple countries, undisclosed count | Snowflake campaign |
| Qantas | 2025 | ~5.7 million customers | Credential theft |
| Salesforce campaign | 2025–2026 | 1.5 billion records, 1,000+ orgs | Vishing, device-code phishing |
| TELUS | 2026 | ~1 petabyte claimed | Social engineering |
| Charter / Spectrum | 2026 | 4.9M confirmed, 42M claimed | Vishing via Microsoft Entra |
| 7-Eleven, ADT, Instructure, Vimeo | 2026 | Multiple incidents | Same vishing playbook |
The 1.5 Billion Record Salesforce Campaign
The Charter breach is not an isolated incident. Security researchers tracking ShinyHunters’ 2025-2026 activity documented a campaign targeting organizations through their Salesforce integrations and connected applications. The campaign reportedly affected more than 1,000 organizations and produced an estimated 1.5 billion stolen records, according to analysis published before the Charter disclosure.
The mechanics of the campaign exploited trust: attackers used vishing and device-code phishing to gain initial access, then pivoted through Salesforce’s OAuth integrations and connected applications to reach data across multiple business systems. Because Salesforce is deeply integrated into modern enterprise operations, a single compromised identity can cascade across sales, marketing, customer service, and partner data simultaneously.
ShinyHunters reportedly attempted to extort Salesforce itself as part of this campaign. That escalation, targeting the platform vendor rather than just its customers, reflects how central SaaS infrastructure has become to large-scale data theft operations. The campaign also targeted TELUS, Canada’s largest telecom, with the group claiming nearly one petabyte of stolen data and demanding $65 million in ransom.
“A single phone-based social-engineering call allegedly led to compromise of an employee identity account and then to large-scale data export from cloud systems. The attackers did not break in. They logged in.”
Security analysis of the ShinyHunters Salesforce campaign, 2026
Telecom Under Siege: A Pattern of Major Breaches
Charter is the latest in a series of major US telecom and cable providers to disclose significant data breaches in the past three years. AT&T disclosed in 2024 that data on more than 110 million customers had been stolen via the Snowflake campaign, making it one of the largest telecommunications breaches on record. T-Mobile disclosed a breach affecting 37 million customers in early 2023, tied to API abuse rather than credential theft. Comcast, which disclosed a breach affecting approximately 36 million Xfinity customers in late 2023, linked the incident to an unpatched vulnerability in Citrix software.
The pattern across these incidents shows that attack methods are converging on identity and access rather than perimeter exploitation. AT&T and Charter both fell via credential theft tied to cloud environments. T-Mobile’s API breach reflected inadequate authentication on customer-facing endpoints. The shift matters because traditional defenses, firewalls, intrusion detection, endpoint agents, are largely irrelevant when the attacker presents valid credentials obtained through social engineering.
Telecoms are high-value targets for several reasons beyond customer scale. They hold CPNI, which is regulated and legally sensitive. They often process billing data across millions of accounts. Their customer service systems store rich interaction histories. And their scale means a single breach can supply attackers with enough contact and identity data for millions of follow-on phishing and fraud campaigns.
Why Vishing Now Outpaces Technical Exploits
Vishing’s effectiveness has grown as enterprise security controls have matured. Organizations that have invested heavily in endpoint detection, network segmentation, and vulnerability management have made technical exploitation more expensive for attackers. Social engineering bypasses those investments entirely by targeting the weakest point in any security architecture: human judgment under pressure.
A well-crafted vishing call does not require the attacker to know anything about the target’s technical infrastructure. It requires only a convincing pretext, a sense of urgency, and a target employee who believes they are speaking to a legitimate authority, whether a coworker, an IT administrator, or a vendor. In the Charter case, the attackers secured access to a Microsoft Entra account through a single call that lasted long enough to compromise credentials or approval flows.
The Verizon Data Breach Investigations Report has documented social engineering as one of the most consistent breach vectors across multiple years of data. Vishing specifically has gained prominence as MFA adoption has increased: attackers now regularly use real-time phishing and voice calls to intercept MFA codes or trick employees into approving push notifications at the moment the attacker attempts to log in. Organizations with MFA deployed are not protected against these techniques unless those MFA flows are resistant to real-time interception, such as hardware security keys or passkey-based authentication.
“Vishing exploits the fundamental weakness in every security system: that humans make decisions under uncertainty, time pressure, and social influence. No firewall stops a convincing phone call.”
Proofpoint 2026 threat intelligence analysis on social engineering escalation
What the Stolen Data Enables
The combination of data types in the Charter breach creates a rich profile for downstream fraud. Customer names, email addresses, physical addresses, and phone numbers are the baseline inputs for targeted phishing and smishing campaigns. When that contact data is paired with service plan information and support ticket contents, attackers can craft highly specific messages that reference real account details, making them significantly more persuasive than generic phishing attempts.
Support ticket data deserves particular attention. Customers discussing billing disputes, service outages, or account changes with Spectrum support often share context, account numbers, payment preferences, and device details. That information, in the hands of criminals, enables impersonation attacks where the attacker can accurately reference a customer’s recent interaction with the company to establish trust before requesting sensitive information or account changes.
The 85,000 internal employee records also create risk beyond customer impact. Job titles allow attackers to identify high-value employees for targeted spear-phishing, business email compromise (BEC) attacks, and follow-on vishing campaigns targeting Charter internally. Executive and IT administrator records are especially valuable for fraud operations that seek to abuse internal processes or approvals.
FCC Rules and the CPNI Question
The Federal Communications Commission’s CPNI rules impose specific data protection obligations on telecommunications carriers. CPNI encompasses information a carrier acquires through its relationship with a customer in providing telecommunications services, including the quantity, technical configuration, type, destination, location, and amount of use of a service. Unauthorized disclosure of CPNI triggers notification and reporting obligations, and repeated or egregious violations can result in substantial FCC fines.
Charter’s insistence that no CPNI was exfiltrated is legally significant. If the FCC finds otherwise based on its own investigation or on evidence produced through litigation or regulatory inquiry, the company would face a different compliance posture than if customer data exposure was limited to contact information and account metadata. ShinyHunters has financial incentive to claim CPNI was included, as that heightens Charter’s legal exposure and increases leverage for extortion. That conflict of interest does not resolve the factual question either way.
Separate from CPNI, the breach implicates state data breach notification laws across the 40+ states where Charter operates. Most states require notification to affected residents within 30 to 90 days of discovering a breach. Charter’s timing, discovering access in late April or May and disclosing publicly on May 26, would need to be measured against each state’s specific clock to assess compliance.
Competitive Context: ShinyHunters vs. Other Cybercrime Groups
ShinyHunters occupies a specific niche in the organized cybercrime ecosystem. Unlike ransomware groups such as LockBit or ALPHV, which encrypt systems and demand payment for decryption keys, ShinyHunters focuses on data exfiltration and extortion. The group does not disrupt operations; it steals data and threatens publication. This model carries lower operational risk for the attackers, because it does not generate the immediate alarms that system encryption typically triggers, and can produce sustained leverage over victims for weeks or months.
The group’s reliance on social engineering rather than malware also distinguishes it. Traditional ransomware groups typically invest in maintaining and deploying custom code, managing infrastructure, and evading endpoint security tools. ShinyHunters invests in human intelligence: understanding how enterprise help desks and IT support workflows operate, and crafting pretexts that exploit those workflows. That approach is harder to counter with technology alone.
In the past 60 days before the Charter breach, ShinyHunters is reported to have used the same vishing playbook against 7-Eleven, ADT, Instructure, and Vimeo. The rapid succession of targets suggests systematic industrialization: the group is running a repeatable process across multiple corporate targets simultaneously rather than dedicating extended reconnaissance to any single victim.
What Spectrum Customers Should Do Now
Spectrum customers should assume their contact information, email address, phone number, and physical address, has been exposed regardless of whether Charter’s narrower assessment of CPNI exposure proves correct. That assumption drives the right protective actions.
Targeted phishing is the primary near-term risk. Attackers who hold customer names, emails, and service plan details will use that information to craft messages that appear to come from Spectrum, referencing real account details to establish credibility. Customers should treat any unsolicited communication claiming to be from Spectrum with heightened skepticism, verify billing or account changes by logging in directly to spectrum.net rather than clicking links, and report suspicious calls or messages to the company.
Checking HIBP at haveibeenpwned.com will confirm whether a specific email address appears in the Charter breach dataset. Customers whose email addresses are confirmed in the breach should change that password anywhere else it is reused, enable two-factor authentication on their email account and primary financial accounts, and monitor their credit reports for new account applications or unusual activity. Free credit monitoring through one of the three major bureaus provides an early warning layer for identity-based fraud.
Security Implications for Enterprise Identity Programs
The Charter breach reinforces a lesson that the 2024 Snowflake campaign began to establish: perimeter-focused security investment does not protect organizations when identity is the attack surface. Enterprise security programs that have not yet implemented phishing-resistant MFA, meaning hardware security keys or device-bound passkeys rather than SMS or push-notification codes, remain vulnerable to the specific technique ShinyHunters used here.
Vishing-resistant authentication flows require that approval happens through a channel the attacker cannot intercept in real time. A push notification to a mobile device can be approved by an employee who believes they are speaking to a legitimate IT administrator. A hardware security key or a FIDO2 passkey bound to a specific device cannot be approved through a phone call, because the cryptographic handshake requires physical presence at the registered device.
Organizations running Salesforce or other high-volume CRM environments should also audit which accounts hold export-level permissions. The principle of least privilege applies with particular force to systems that can return millions of structured records in response to a single API call or export command. Restricting export permissions to named roles with additional verification requirements would have limited the scope of what ShinyHunters could extract even after gaining Entra access.
“Identity is now the perimeter. Once attackers can authenticate as a legitimate user, network segmentation and endpoint controls provide no meaningful resistance. The entire defensive model has to shift upstream to where identity is established.”
Security architecture analysis following the 2026 vishing-to-SaaS breach pattern
5 Predictions: What This Breach Means for Telecom Security
- FCC enforcement action within 12 months. The conflicting CPNI claims will draw regulatory attention. The FCC has used recent telecom data incidents to expand its enforcement posture, and a breach of this scale at a major carrier is unlikely to close without some form of formal inquiry or consent decree, particularly given the disputed CPNI question.
- Vishing-resistant MFA will accelerate as a procurement requirement. Enterprises that suffered or observed vishing-based breaches in 2025-2026 will begin requiring FIDO2 or hardware-key authentication in technology vendor contracts. Early indications from enterprise security procurement surveys suggest MFA type, not just MFA presence, will become a standard due-diligence question by late 2026.
- ShinyHunters will face increased international law enforcement pressure. The group’s volume and brand visibility have made it a priority target. The 2024 arrest of alleged members following the Snowflake campaign showed that the group’s operational security has limits. A campaign affecting this many named US companies in such a short window increases pressure on law enforcement to act.
- Salesforce and major SaaS providers will add anomalous-export alerts. The ability to pull millions of records through a legitimate API session without triggering automated alerts is a design gap that platform vendors will address. Expect new controls around bulk export velocity, off-hours data access, and geographic anomalies in session behavior across major CRM providers.
- Telecom-sector security spending will increase 15-25% in the next budget cycle. AT&T, T-Mobile, Comcast, and now Charter have all disclosed significant breaches within three years. Regulatory pressure, litigation exposure, and reputational cost will push telecom security budgets upward, with the largest allocations going to identity security, security awareness training, and third-party SaaS access governance.
Related Coverage
For more analysis on major breach patterns and the threat actors driving them, see the following coverage on shattered.io:
- ShinyHunters Breach Odido: 6.5M Hit, €1M Ransom – The same group’s attack on Dutch telecom Odido, using a comparable playbook against European infrastructure.
- Infostealers Stole 1.8B Credentials in 2025 – How credential theft at scale feeds the supply chain for attacks like the one on Charter.
- Ransomware Groups Up 49%: 8,159 Victims Hit in 2025 – Context on the broader organized cybercrime ecosystem that ShinyHunters operates within.
- Canvas Data Breach: 275M Hit by ShinyHunters – ShinyHunters’ largest attributed breach to date and its implications for cloud data security.
- Passkeys vs Passwords: 8.5s vs 31s Sign-In – The authentication technology that would have prevented the Charter vishing attack from succeeding.
- Security Analysis Hub – Full coverage of major vulnerabilities, breach investigations, and defense strategies.
Frequently Asked Questions
Was my Spectrum account breached?
Check your email address at haveibeenpwned.com. HIBP added the Charter breach on May 28, 2026, with 4.9 million confirmed email addresses. If your address appears, treat your contact information and service account details as exposed. Change any passwords you reuse with that email address and enable two-factor authentication on your primary accounts.
What data was stolen from Charter Communications?
Confirmed data types include customer names, email addresses, physical addresses, phone numbers, device types, service plan information, and support ticket data. Charter denied that Customer Proprietary Network Information (CPNI) or sensitive financial data was included. ShinyHunters disputed that claim. An internal employee directory of approximately 85,000 records with job titles was also in the leaked material.
How did ShinyHunters breach Charter?
The group used vishing, a phone-based social engineering attack, to compromise a Charter employee’s Microsoft Entra (SSO) account on April 1, 2026. That identity access was then used to reach Charter’s Salesforce customer relationship management environment, where the attackers exported customer and support records. No malware and no software vulnerability were involved in the attack.
Is my credit card information at risk from the Charter breach?
There is no confirmed reporting that payment card data was included in what ShinyHunters exfiltrated from Charter. Charter’s statement specifically addressed CPNI and sensitive personal information, not payment card data. Payment card data is typically stored in separate, PCI-DSS-governed systems. However, the exposure of contact and account data creates risk for targeted phishing attacks designed to trick customers into disclosing financial information voluntarily.
What is ShinyHunters and why do they keep breaching large companies?
ShinyHunters is an English-speaking cybercriminal group believed to be affiliated with The Com criminal network. Active since 2020, the group has shifted from selling stolen databases to running large-scale extortion operations targeting enterprise cloud environments. Their primary technique is social engineering, specifically vishing and device-code phishing to compromise identity systems, followed by bulk data export and pay-or-leak extortion. Major attributed breaches include Ticketmaster (560 million records), AT&T (110+ million customers), and a Salesforce campaign affecting 1,000+ organizations and 1.5 billion records.
What should businesses do to prevent vishing attacks like this one?
The most direct control is deploying phishing-resistant MFA, specifically FIDO2 hardware security keys or device-bound passkeys, for all accounts with access to high-value systems. Push-notification MFA and SMS codes can be intercepted or approved during a vishing call; hardware-bound authentication cannot. Beyond authentication, organizations should implement strict verification procedures for any request involving account access changes, restrict export-level permissions in CRM systems to named roles with additional approval steps, conduct regular vishing simulation exercises, and train help desk staff specifically on how to handle calls that request credential resets or account approvals.
Did the FCC take action after the Charter breach?
No formal FCC enforcement action had been publicly announced as of late May 2026. Charter confirmed it was alerting authorities. Given the disputed CPNI question and the size of the breach, regulatory scrutiny is expected. The FCC has signaled increased focus on carrier data security following the broader wave of telecom breaches from 2023 onward, and the agency has authority to investigate CPNI compliance independently of any legal action Charter may face from affected customers.
