ShinyHunters Alleges 42M Records Stolen from Charter Communications

ShinyHunters Alleges 42M Records Stolen from Charter Communications

ShinyHunters Alleges 42M Records Stolen from Charter Communications

Image: Media_photos/Envato Elements

Charter confirmed a cyber incident after ShinyHunters claimed it stole Spectrum customer data through vishing and SaaS account access.

Written By
Ken Underhill
Ken Underhill
May 28, 2026

Voice phishing is becoming a cloud security problem, not just a help desk problem.

Charter Communications confirmed a cybersecurity incident after the ShinyHunters extortion group claimed it had stolen customer data and threatened to leak it unless a ransom was paid. The company, which operates under the Spectrum brand, said it is investigating the incident and coordinating with authorities.

“The Charter breach is a reminder that the most sophisticated security stack in the world can be undone by a convincing phone call,” Andrew Chipman, GRC manager at ProCircular, said in an email to eSecurityPlanet.

Key takeaways of the Charter Communications incident

According to BleepingComputer:

  • Charter Communications confirmed an incident after the ShinyHunters group claimed it stole customer data from the company’s environment.
  • The threat actor alleged the breach began with a vishing attack that compromised a Microsoft Entra account and enabled access to Charter’s Salesforce environment.
  • ShinyHunters claimed it stole more than 42 million customer records, though Charter denied that sensitive personal information (CPNI) was exfiltrated.

Inside the Charter incident

The alleged breach highlights the growing threat posed by social engineering campaigns targeting cloud identity platforms and enterprise SaaS environments.

According to BleepingComputer, the ShinyHunters extortion group claimed it gained access to Charter Communications systems through a voice phishing (vishing) attack that compromised an employee’s Microsoft Entra account.

The attackers allegedly used that access to gain entry to the company’s Salesforce environment, where they exported large volumes of customer data.

What data was allegedly stolen

While Charter stated that sensitive personal information and customer proprietary network information (CPNI) were not exfiltrated, ShinyHunters claimed it stole more than 42 million customer records.

According to the threat actor, the data included names, email addresses, phone numbers, physical addresses, plan details, and customer support ticket information.

Charter did not confirm the scale of the alleged theft and instead reiterated its original statement denying exposure of sensitive customer data. Have I Been Pwned later pegged the exposed dataset at 4.9 million unique email addresses, while Cybernews separately estimated that at least 13 million individuals may have been exposed.

Advertisement

Identity platforms are increasingly targeted

The incident demonstrates how a single compromised identity account can create broader exposure across interconnected cloud services.

Many organizations now rely on single sign-on (SSO) platforms such as Microsoft Entra, Okta, and Google Workspace to manage authentication across business-critical SaaS applications.

As a result, attackers increasingly target identity systems because compromising a single account can provide access to platforms such as Salesforce, Microsoft 365, Slack, Zendesk, and Dropbox.

ShinyHunters’ broader campaigns

ShinyHunters has been linked to several SaaS-focused extortion campaigns over the past year, particularly targeting Salesforce environments and stolen OAuth tokens associated with third-party integrations.

The group was also reportedly connected to attacks targeting education technology provider Instructure, which disrupted Canvas services and allegedly exposed data associated with tens of millions of students.

How organizations can reduce risk

Attackers continue to target single sign-on platforms, third-party integrations, and authentication workflows to access enterprise systems.

To reduce risk, organizations should adopt a layered security approach that includes stronger identity protections, improved SaaS monitoring, and tested incident response plans.

  • Implement phishing-resistant MFA, conditional access policies, and device trust requirements to reduce the risk of credential theft and unauthorized access to SaaS.
  • Monitor SaaS environments for unusual login activity, abnormal OAuth consent grants, and large-scale data exports that may indicate account compromise.
  • Restrict OAuth application permissions, regularly audit third-party integrations, and rotate API tokens to limit persistent attacker access.
  • Enforce least-privilege access controls and separate administrative accounts from standard user accounts to reduce opportunities for lateral movement.
  • Deploy data loss prevention (DLP) policies and role-based restrictions to better control access to sensitive customer and business data.
  • Conduct regular employee training focused on vishing, MFA fatigue attacks, and impersonation tactics used in social engineering campaigns.
  • Test incident response plans and use attack-simulation tools with scenarios involving identity compromise.

Collectively, these steps can help organizations build resilience against identity-based attacks while reducing exposure across cloud and SaaS environments.

Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.