Charter Communications — the parent of consumer broadband and cable brand Spectrum — has confirmed a data breach after the extortion crew ShinyHunters added it to their data-leak site. The attack required no exotic exploit. It started with a phone call.
ShinyHunters told BleepingComputer that on April 1, 2026, they ran a voice phishing (vishing) operation against a Charter employee, talked their way into the worker’s Microsoft Entra account, and from there exported millions of customer records out of the company’s Salesforce instance. Charter listed publicly on the gang’s extortion site on May 26, 2026, prompting the confirmation.
The numbers in dispute
As is typical with ShinyHunters, the headline figure is contested. The gang claims 42 million records. Have I Been Pwned, after ingesting the leaked dataset, lists 4.9 million unique email addresses — the firmer, verifiable number. Separate estimates have put the count of potentially affected individuals as high as 13 million, depending on how duplicate and partial records are counted.
According to the threat actors, the stolen data includes customer names, email addresses, physical addresses, phone numbers, phone type, plan information, customer-support ticket data, and — they allege — some customer proprietary network information (CPNI).
Charter, for its part, confirmed the incident but pushed back on the most sensitive claim. The company stated that “no sensitive personal information or customer proprietary network information was exfiltrated” and said it is alerting the appropriate authorities. That denial sits in direct tension with ShinyHunters’ assertion that CPNI was among the haul — a discrepancy that regulators and class-action attorneys will scrutinize, given the special legal protections CPNI carries for telecom subscribers.
A familiar playbook
The Charter intrusion is a clean fit for the pattern ShinyHunters has run all year: target the human, not the firewall. Rather than hunting for software vulnerabilities, the group phones help desks and employees, impersonates IT or trusted vendors, and convinces a real person to hand over single-sign-on credentials. Once inside an identity provider like Microsoft Entra, the attackers pivot to whatever SaaS platforms that identity unlocks — most often Salesforce, where enterprises warehouse vast troves of customer data in one queryable place.
Breached.company readers have seen this movie repeatedly. The same crew used Salesforce-centric vishing campaigns to hit a long roster of victims through 2026, and the Charter breach lands just over a week after Carnival disclosed its own 6-million-record ShinyHunters breach. The infrastructure is social engineering; the payload is SaaS data exfiltration; the finish is extortion.
Why telecom data matters
A telecom customer database is not just a marketing list. It ties names to physical service addresses, phone numbers and account plans — a high-value enrichment dataset for downstream fraud. Combined with the breach’s phone numbers and contact details, the leaked records give scammers exactly what they need to run convincing follow-on vishing and SIM-swap attacks against Spectrum subscribers themselves. The breach that began with one phone call can easily fund thousands more.
What Spectrum customers should do
Charter has not, at the time of writing, detailed an individual notification or credit-monitoring program. In the meantime, Spectrum subscribers should:
- Treat unsolicited “Spectrum support” calls as suspect. The leaked data lets fraudsters reference real account details to sound legitimate. Hang up and call back on the official number.
- Be alert to phishing referencing your plan, billing or support tickets — the attackers have your ticket history.
- Enable multi-factor authentication on your Spectrum account and any email reused across services.
- Watch for your address in the leak via Have I Been Pwned, which has loaded the dataset.
The broader lesson for enterprises is the one ShinyHunters keeps teaching: SSO and SaaS consolidation make a single tricked employee catastrophic. Phishing-resistant MFA, hardened help-desk verification, and tight limits on bulk Salesforce exports are no longer optional controls — they are the difference between a blocked phone call and a 4.9-million-record breach.
