Charter Confirms Data Breach After ShinyHunters Extortion Threat

Key Takeaways

• ShinyHunters claims to have stolen 40 million Charter customer records through a voice phishing attack
• Charter denies sensitive personal information or CPNI data was compromised
• The breach reportedly occurred via a compromised Microsoft Entra account with Salesforce access

What Happened

Charter Communications, the parent company behind the Spectrum brand, has confirmed it suffered a data breach. The confirmation came after ShinyHunters, an extortion group, listed the company on its data leak site and threatened to release stolen information unless Charter pays a ransom.

Charter serves tens of millions of residential and business customers across the United States. The company says it's working with authorities and following its security protocols.

“We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities.”

— Charter Communications, statement to BleepingComputer

Charter insists that no sensitive personal information or customer proprietary network information (CPNI) was stolen. ShinyHunters tells a different story.

ShinyHunters' Claims

The extortion group claims it breached Charter on April 1 through a voice phishing (vishing) attack. The target was an employee's Microsoft Entra account. Once inside, the attackers say they exported millions of customer records from Charter's Salesforce instance.

According to ShinyHunters, the stolen data includes customer names, email addresses, physical addresses, phone numbers, phone type, plan information, and some CPNI data. They also claim to have stolen customer support ticket data.

When BleepingComputer asked Charter about these specific claims, particularly the allegation that CPNI was taken, the company referred back to its original statement denying sensitive data theft.

ShinyHunters' Playbook

This breach fits a pattern. Since last year, ShinyHunters has run widespread social engineering campaigns targeting employees and BPO agents. Their preferred entry points are SSO accounts on Microsoft Entra, Okta, and Google.

The strategy is simple but effective. Compromise one SSO account, then harvest data from every connected SaaS application. Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox. All become accessible through a single point of entry.

Salesforce has become a favorite target. ShinyHunters has breached multiple integration companies to steal OAuth tokens, which then grant access to Salesforce instances without needing direct credentials.

The group's recent attack on Instructure, an education technology company, resulted in Canvas outages and the alleged theft of data from tens of millions of students. Instructure reportedly reached some form of resolution with the attackers.

The Voice Phishing Problem

Voice phishing represents a growing threat to enterprises. Unlike email phishing, vishing attacks are harder to filter automatically. A caller pretending to be IT support, a vendor, or even a colleague can pressure employees into handing over credentials or approving MFA requests.

The attack surface expands when companies use single sign-on. SSO is supposed to improve security by reducing password sprawl. But it also creates a master key. One compromised account can unlock dozens of applications.

Security teams face a tradeoff. SSO reduces credential fatigue and makes access management easier. But it concentrates risk. The Charter breach shows what happens when that single point of entry falls.

What Charter Customers Should Know

Charter's statement claims no sensitive personal information was stolen. The company has not specified what protective measures, if any, it's offering affected customers.

If ShinyHunters' claims are accurate, the stolen data would include names, emails, addresses, and phone numbers. This information, even without financial data, enables identity theft, targeted phishing, and social engineering attacks against customers.

• Watch for phishing attempts that reference your Charter/Spectrum account details
• Be suspicious of calls claiming to be from Spectrum support
• Consider placing a fraud alert with credit bureaus as a precaution
• Monitor your accounts for unusual activity

The Bigger Picture

ShinyHunters has refined a model: social engineer one employee, access cloud applications, exfiltrate data, demand ransom. The group isn't exploiting exotic zero-days. They're exploiting human trust and centralized access.

Enterprise security spending continues to rise, but attackers keep finding the path of least resistance. In this case, that path was a phone call.

Frequently Asked Questions

Was my Spectrum account data stolen in the Charter breach?

Charter has not confirmed individual account exposure. If you're a Spectrum customer, monitor for suspicious communications and consider fraud alerts as a precaution.

What is voice phishing (vishing)?

Vishing is a social engineering attack conducted over phone calls. Attackers impersonate IT support, vendors, or colleagues to trick employees into revealing credentials or approving access requests.

Who is ShinyHunters?

ShinyHunters is a cyber-extortion group that has been active since at least 2020. They specialize in breaching companies through social engineering, stealing data from cloud applications, and demanding ransoms to prevent data leaks.

What is CPNI and why does it matter?

Customer Proprietary Network Information includes data about how you use your telecom services, such as call records and service plans. It's protected by FCC regulations because it can reveal sensitive details about your communications.

How do companies protect against voice phishing attacks?

Defenses include employee training, callback verification procedures, phishing-resistant MFA like hardware keys, and limiting what any single account can access even after authentication.

Source: BleepingComputer