Key Takeaways

- ShinyHunters claims to have stolen 40 million Charter customer records through a voice phishing attack
- Charter denies sensitive personal information or CPNI data was compromised
- The breach reportedly occurred via a compromised Microsoft Entra account with Salesforce access
What Happened
Charter Communications, the parent company behind the Spectrum brand, has confirmed it suffered a data breach. The confirmation came after ShinyHunters, an extortion group, listed the company on its data leak site and threatened to release stolen information unless Charter pays a ransom.
Charter serves tens of millions of residential and business customers across the United States. The company says it's working with authorities and following its security protocols.
“We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities.”
— Charter Communications, statement to BleepingComputer
Charter insists that no sensitive personal information or customer proprietary network information (CPNI) was stolen. ShinyHunters tells a different story.
ShinyHunters' Claims
The extortion group claims it breached Charter on April 1 through a voice phishing (vishing) attack. The target was an employee's Microsoft Entra account. Once inside, the attackers say they exported millions of customer records from Charter's Salesforce instance.
According to ShinyHunters, the stolen data includes customer names, email addresses, physical addresses, phone numbers, phone type, plan information, and some CPNI data. They also claim to have stolen customer support ticket data.

When BleepingComputer asked Charter about these specific claims, particularly the allegation that CPNI was taken, the company referred back to its original statement denying sensitive data theft.
ShinyHunters' Playbook
This breach fits a pattern. Since last year, ShinyHunters has run widespread social engineering campaigns targeting employees and BPO agents. Their preferred entry points are SSO accounts on Microsoft Entra, Okta, and Google.
The strategy is simple but effective. Compromise one SSO account, then harvest data from every connected SaaS application. Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox. All become accessible through a single point of entry.
Salesforce has become a favorite target. ShinyHunters has breached multiple integration companies to steal OAuth tokens, which then grant access to Salesforce instances without needing direct credentials.
The group's recent attack on Instructure, an education technology company, resulted in Canvas outages and the alleged theft of data from tens of millions of students. Instructure reportedly reached some form of resolution with the attackers.
The Voice Phishing Problem
Voice phishing represents a growing threat to enterprises. Unlike email phishing, vishing attacks are harder to filter automatically. A caller pretending to be IT support, a vendor, or even a colleague can pressure employees into handing over credentials or approving MFA requests.
The attack surface expands when companies use single sign-on. SSO is supposed to improve security by reducing password sprawl. But it also creates a master key. One compromised account can unlock dozens of applications.
Security teams face a tradeoff. SSO reduces credential fatigue and makes access management easier. But it concentrates risk. The Charter breach shows what happens when that single point of entry falls.
What Charter Customers Should Know
Charter's statement claims no sensitive personal information was stolen. The company has not specified what protective measures, if any, it's offering affected customers.
If ShinyHunters' claims are accurate, the stolen data would include names, emails, addresses, and phone numbers. This information, even without financial data, enables identity theft, targeted phishing, and social engineering attacks against customers.
- Watch for phishing attempts that reference your Charter/Spectrum account details
- Be suspicious of calls claiming to be from Spectrum support
- Consider placing a fraud alert with credit bureaus as a precaution
- Monitor your accounts for unusual activity

Logicity's Take
The Bigger Picture
ShinyHunters has refined a model: social engineer one employee, access cloud applications, exfiltrate data, demand ransom. The group isn't exploiting exotic zero-days. They're exploiting human trust and centralized access.
Enterprise security spending continues to rise, but attackers keep finding the path of least resistance. In this case, that path was a phone call.
Another example of default settings creating unexpected privacy risks
Frequently Asked Questions
Was my Spectrum account data stolen in the Charter breach?
Charter has not confirmed individual account exposure. If you're a Spectrum customer, monitor for suspicious communications and consider fraud alerts as a precaution.
What is voice phishing (vishing)?
Vishing is a social engineering attack conducted over phone calls. Attackers impersonate IT support, vendors, or colleagues to trick employees into revealing credentials or approving access requests.
Who is ShinyHunters?
ShinyHunters is a cyber-extortion group that has been active since at least 2020. They specialize in breaching companies through social engineering, stealing data from cloud applications, and demanding ransoms to prevent data leaks.
What is CPNI and why does it matter?
Customer Proprietary Network Information includes data about how you use your telecom services, such as call records and service plans. It's protected by FCC regulations because it can reveal sensitive details about your communications.
How do companies protect against voice phishing attacks?
Defenses include employee training, callback verification procedures, phishing-resistant MFA like hardware keys, and limiting what any single account can access even after authentication.
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
Browse all
SD-WAN Security Flaw: What CEOs Must Do by Friday
CISA has flagged an actively exploited vulnerability in Cisco's SD-WAN Manager, giving federal agencies just four days to patch. For enterprises running Cisco SD-WAN infrastructure, this isn't just a government mandate. It's a wake-up call about network security debt that could cost millions in breach response.

Apache ActiveMQ Vulnerability: 6,400 Servers at Risk
A critical 13-year-old security flaw in Apache ActiveMQ is now being actively exploited, putting over 6,400 enterprise message brokers at immediate risk. For businesses running Java applications, this vulnerability could mean unauthorized code execution on your servers. CISA has ordered federal agencies to patch by April 30, signaling the severity of this threat.

KelpDAO Hack: $290M Crypto Heist Hits DeFi Protocols
North Korean state hackers allegedly stole $290 million from KelpDAO by exploiting cross-chain verification systems. The attack forced major lending protocols including Aave to freeze operations, raising urgent questions about DeFi security for institutional investors.

Seiko USA Breach 2026: What E-Commerce Leaders Must Know
The Seiko USA website defacement exposes critical vulnerabilities in Shopify-based retail operations. This attack demonstrates how threat actors are increasingly targeting brand-name companies through their e-commerce platforms, with potential customer data exposure and ransom demands creating both financial and reputational risks for businesses of all sizes.



