Charter Communications confirms data breach after ShinyHunters extortion threat
Charter Communications confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen customer data unless a ransom is paid.

U.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
Charter Communications is one of the largest broadband providers in the United States, serving tens of millions of residential and business customers through its Spectrum brand. In a statement shared this weekend, the company said it is alerting authorities about the incident and that no sensitive personal customer information was stolen.
"We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities," Charter told BleepingComputer. "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity."
This statement follows Charter's listing on the ShinyHunters data leak site, where attackers claimed to have stolen 40 million records containing the personal information of consumer and business customers. ShinyHunters claimed to BleepingComputer that they breached Charter on April 1 through a voice phishing (vishing) attack that compromised an employee's Microsoft Entra account.
The threat actors used this access to export millions of consumer and business customer records from the company's Salesforce instance. According to the threat actor, the stolen records contain customer names, email addresses, addresses, phone numbers, phone type, plan information, and some CPNI data. The threat actor also claims to have stolen customer support ticket data.
Since last year, the extortion group has been conducting widespread social engineering campaigns that target employees and BPO agents' Microsoft Entra, Okta, and Google SSO accounts. After gaining access to a corporate SSO account, the threat actors steal data from connected SaaS applications such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others. This stolen data is then used to extort the company by threatening to leak the data if a ransom is not paid.
Salesforce has been a popular target of the extortion gang, with the threat actors breaching numerous integration companies to steal OAuth tokens that can then be used to access Salesforce instances. More recently, ShinyHunters conducted multiple attacks against the education technology firm Instructure, resulting in Canvas outages and the theft of data from tens of millions of students. Instructure said it ultimately reached an "agreement" with the extortion gang, meaning it likely paid a ransom to prevent the public release of the stolen data.
Have I Been Pwned confirmed that the breach exposed 4.9 million unique email addresses along with names, phone numbers, and physical addresses, with a subset of 85,000 records from an internal employee directory also including job titles. ShinyHunters claimed they stole 42 million records from Charter's Salesforce instance via a vishing attack on April 1, and leaked the data after the company refused to pay the ransom.
ShinyHunters has now published the stolen data, leaking 4.9 million customer records containing names, email addresses, phone numbers, and physical addresses, along with 85,000 internal staff records with job titles. The group claims Charter refused to meet its extortion demands, which included a final deadline of May 27, 2026. Charter maintains that no sensitive personal information or customer proprietary network information was exfiltrated, though the exposed data remains valuable for phishing and identity theft. The leak follows a similar ShinyHunters attack on Carnival Corporation, indicating an unusually active period for the extortion gang.
New analysis from HaveIBeenPwned reveals the breach affects approximately 4.9 million unique individuals, not the 42 million records claimed by ShinyHunters, with exposed data including names, addresses, phone numbers, and 85,000 employee records containing job titles. Charter Communications maintains that only sales tools for business customers were impacted and that no CPNI or sensitive personal information was released, though the leaked dataset contradicts the company's initial denial of CPNI exposure.