Charter Data Breach Exposes 4.9 Million Customer Accounts

Key Takeaways

• 4.9 million unique email addresses were exposed in the breach, along with names, phone numbers, and physical addresses
• Attackers used voice phishing to compromise an employee's Microsoft Entra account on April 1
• Charter refused to pay the ransom, and ShinyHunters leaked the stolen data on their dark web site

Charter Communications, the parent company of Spectrum, confirmed this week that attackers stole personal information from 4.9 million customer accounts. The breach occurred in early April after the ShinyHunters extortion gang tricked an employee into giving up their Microsoft Entra credentials through a voice phishing call.

Have I Been Pwned, the data breach notification service run by security researcher Troy Hunt, analyzed the leaked data and confirmed the scope. The exposed information includes names, email addresses, phone numbers, and physical addresses. A smaller subset of about 85,000 records came from an internal employee directory and included job titles.

How the Attack Happened

ShinyHunters told BleepingComputer they breached Charter's systems on April 1 using a vishing attack. Vishing, short for voice phishing, involves calling employees and impersonating IT support or other trusted parties to extract login credentials.

Once the attackers had access to the employee's Microsoft Entra account (formerly Azure Active Directory), they moved laterally into Charter's Salesforce instance. From there, they claimed to have stolen 42 million records, including customer names, email addresses, physical addresses, phone numbers, plan information, and support ticket data.

The attackers also claimed to have stolen CPNI (Customer Proprietary Network Information), which includes call records and service usage details. Charter disputes this. The company told BleepingComputer that "no sensitive personal information or CPNI data was exfiltrated."

Charter Refused to Pay

When Charter declined to pay the ransom, ShinyHunters followed through on their threat. They published the stolen documents on their dark web leak site. The FBI has recently advised victims of ShinyHunters attacks not to pay ransom demands, though the agency has not commented specifically on the Charter incident.

Charter serves over 32 million customers and more than 57 million homes across 41 states through its Spectrum brand. The company has about 92,000 employees. Even though the confirmed breach affected 4.9 million accounts, the company's massive customer base means the potential exposure could have been far worse.

ShinyHunters' Salesforce Campaign

The Charter breach is part of a larger pattern. ShinyHunters has spent the past year targeting companies that use Salesforce, breaching hundreds of organizations worldwide. The group has claimed to have stolen billions of records through what they call "Salesforce Aura" attacks and a separate campaign targeting Salesloft Drift users.

The tactic is consistent: compromise an employee's SSO credentials through social engineering, then use that access to export customer data from cloud platforms like Salesforce. Multi-factor authentication doesn't always stop these attacks. Sophisticated vishing campaigns can convince employees to approve MFA prompts or hand over one-time codes during the phone call.

“The breach illustrates that even the most advanced identity security measures can be undermined by the oldest trick in the book: social engineering.”

— Sarah Jenkins, Cybersecurity Lead Analyst at TechThreat Insights

What This Means for Affected Customers

If you're a Spectrum customer, assume your contact information may have been exposed. The data stolen, while not including Social Security numbers or financial information, is still valuable to criminals. Names, addresses, phone numbers, and email addresses are the building blocks for targeted phishing campaigns.

Discussions on Reddit's r/privacy community highlighted that this kind of data is a "goldmine" for spear-phishing. An attacker who knows your name, address, phone number, and that you're a Spectrum customer can craft highly convincing scam calls or emails. Expect an uptick in fake Spectrum communications.

• Be skeptical of calls or emails claiming to be from Spectrum, especially those asking you to verify account details
• Check Have I Been Pwned (haveibeenpwned.com) to see if your email was in the breach
• Consider using unique email aliases for different services to track which companies leak your data
• Enable two-factor authentication on all accounts, even though it's not foolproof

The Vishing Problem Isn't Going Away

On Hacker News, security professionals debated why large corporations keep falling for vishing attacks. The consensus: standard MFA isn't enough when attackers can socially engineer employees into approving login requests in real time. Some suggested that high-value enterprise accounts need phishing-resistant authentication like hardware security keys, not just push notifications or SMS codes.

The estimated cost of a successful credential compromise through vishing can exceed $100,000 when factoring in investigation, remediation, customer notification, and reputational damage. For a breach affecting nearly 5 million accounts, Charter's total costs will likely run much higher.

Frequently Asked Questions

What data was stolen in the Charter Communications breach?

Names, email addresses, phone numbers, and physical addresses were confirmed stolen. ShinyHunters also claims to have stolen support ticket data and some CPNI (call record) information, though Charter disputes this.

How did hackers breach Charter Communications?

ShinyHunters used a vishing (voice phishing) attack to trick an employee into revealing their Microsoft Entra login credentials, then used that access to export data from Charter's Salesforce instance.

How do I know if I was affected by the Charter breach?

Check Have I Been Pwned (haveibeenpwned.com) using your email address. The service has confirmed adding 4.9 million email addresses from this breach to its database.

Did Charter pay the ransom?

No. Charter refused to pay, and ShinyHunters subsequently leaked the stolen data on their dark web site.

What should Spectrum customers do now?

Be wary of phishing attempts using your exposed data. Watch for suspicious emails or calls claiming to be from Spectrum. Enable two-factor authentication on all your accounts.

Source: BleepingComputer