Key Takeaways

- 4.9 million unique email addresses were exposed in the breach, along with names, phone numbers, and physical addresses
- Attackers used voice phishing to compromise an employee's Microsoft Entra account on April 1
- Charter refused to pay the ransom, and ShinyHunters leaked the stolen data on their dark web site
Charter Communications, the parent company of Spectrum, confirmed this week that attackers stole personal information from 4.9 million customer accounts. The breach occurred in early April after the ShinyHunters extortion gang tricked an employee into giving up their Microsoft Entra credentials through a voice phishing call.
Have I Been Pwned, the data breach notification service run by security researcher Troy Hunt, analyzed the leaked data and confirmed the scope. The exposed information includes names, email addresses, phone numbers, and physical addresses. A smaller subset of about 85,000 records came from an internal employee directory and included job titles.
How the Attack Happened
ShinyHunters told BleepingComputer they breached Charter's systems on April 1 using a vishing attack. Vishing, short for voice phishing, involves calling employees and impersonating IT support or other trusted parties to extract login credentials.
Once the attackers had access to the employee's Microsoft Entra account (formerly Azure Active Directory), they moved laterally into Charter's Salesforce instance. From there, they claimed to have stolen 42 million records, including customer names, email addresses, physical addresses, phone numbers, plan information, and support ticket data.
The attackers also claimed to have stolen CPNI (Customer Proprietary Network Information), which includes call records and service usage details. Charter disputes this. The company told BleepingComputer that "no sensitive personal information or CPNI data was exfiltrated."
Charter Refused to Pay
When Charter declined to pay the ransom, ShinyHunters followed through on their threat. They published the stolen documents on their dark web leak site. The FBI has recently advised victims of ShinyHunters attacks not to pay ransom demands, though the agency has not commented specifically on the Charter incident.

Charter serves over 32 million customers and more than 57 million homes across 41 states through its Spectrum brand. The company has about 92,000 employees. Even though the confirmed breach affected 4.9 million accounts, the company's massive customer base means the potential exposure could have been far worse.
ShinyHunters' Salesforce Campaign
The Charter breach is part of a larger pattern. ShinyHunters has spent the past year targeting companies that use Salesforce, breaching hundreds of organizations worldwide. The group has claimed to have stolen billions of records through what they call "Salesforce Aura" attacks and a separate campaign targeting Salesloft Drift users.
The tactic is consistent: compromise an employee's SSO credentials through social engineering, then use that access to export customer data from cloud platforms like Salesforce. Multi-factor authentication doesn't always stop these attacks. Sophisticated vishing campaigns can convince employees to approve MFA prompts or hand over one-time codes during the phone call.
What This Means for Affected Customers
If you're a Spectrum customer, assume your contact information may have been exposed. The data stolen, while not including Social Security numbers or financial information, is still valuable to criminals. Names, addresses, phone numbers, and email addresses are the building blocks for targeted phishing campaigns.
Discussions on Reddit's r/privacy community highlighted that this kind of data is a "goldmine" for spear-phishing. An attacker who knows your name, address, phone number, and that you're a Spectrum customer can craft highly convincing scam calls or emails. Expect an uptick in fake Spectrum communications.
- Be skeptical of calls or emails claiming to be from Spectrum, especially those asking you to verify account details
- Check Have I Been Pwned (haveibeenpwned.com) to see if your email was in the breach
- Consider using unique email aliases for different services to track which companies leak your data
- Enable two-factor authentication on all accounts, even though it's not foolproof
The Vishing Problem Isn't Going Away
On Hacker News, security professionals debated why large corporations keep falling for vishing attacks. The consensus: standard MFA isn't enough when attackers can socially engineer employees into approving login requests in real time. Some suggested that high-value enterprise accounts need phishing-resistant authentication like hardware security keys, not just push notifications or SMS codes.
The estimated cost of a successful credential compromise through vishing can exceed $100,000 when factoring in investigation, remediation, customer notification, and reputational damage. For a breach affecting nearly 5 million accounts, Charter's total costs will likely run much higher.

Logicity's Take
Frequently Asked Questions
What data was stolen in the Charter Communications breach?
Names, email addresses, phone numbers, and physical addresses were confirmed stolen. ShinyHunters also claims to have stolen support ticket data and some CPNI (call record) information, though Charter disputes this.
How did hackers breach Charter Communications?
ShinyHunters used a vishing (voice phishing) attack to trick an employee into revealing their Microsoft Entra login credentials, then used that access to export data from Charter's Salesforce instance.
How do I know if I was affected by the Charter breach?
Check Have I Been Pwned (haveibeenpwned.com) using your email address. The service has confirmed adding 4.9 million email addresses from this breach to its database.
Did Charter pay the ransom?
No. Charter refused to pay, and ShinyHunters subsequently leaked the stolen data on their dark web site.
What should Spectrum customers do now?
Be wary of phishing attempts using your exposed data. Watch for suspicious emails or calls claiming to be from Spectrum. Enable two-factor authentication on all your accounts.
More on how threat actors are evolving their tactics
Need Help Implementing This?
Source: BleepingComputer
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Cybersecurity
SD-WAN Security Flaw: What CEOs Must Do by Friday
CISA has flagged an actively exploited vulnerability in Cisco's SD-WAN Manager, giving federal agencies just four days to patch. For enterprises running Cisco SD-WAN infrastructure, this isn't just a government mandate. It's a wake-up call about network security debt that could cost millions in breach response.

Apache ActiveMQ Vulnerability: 6,400 Servers at Risk
A critical 13-year-old security flaw in Apache ActiveMQ is now being actively exploited, putting over 6,400 enterprise message brokers at immediate risk. For businesses running Java applications, this vulnerability could mean unauthorized code execution on your servers. CISA has ordered federal agencies to patch by April 30, signaling the severity of this threat.

KelpDAO Hack: $290M Crypto Heist Hits DeFi Protocols
North Korean state hackers allegedly stole $290 million from KelpDAO by exploiting cross-chain verification systems. The attack forced major lending protocols including Aave to freeze operations, raising urgent questions about DeFi security for institutional investors.

Seiko USA Breach 2026: What E-Commerce Leaders Must Know
The Seiko USA website defacement exposes critical vulnerabilities in Shopify-based retail operations. This attack demonstrates how threat actors are increasingly targeting brand-name companies through their e-commerce platforms, with potential customer data exposure and ransom demands creating both financial and reputational risks for businesses of all sizes.



