Charter Communications confirms data breach after ShinyHunters claims 40 million Spectrum customer records

Charter Communications — the US cable and broadband operator behind the Spectrum brand — confirmed a data breach on Tuesday after the ShinyHunters extortion group claimed to have stolen 40 million customer records and threatened to publish them unless paid. Charter disputed the severity in a brief statement but acknowledged the incident and said it had alerted authorities.

The breach reportedly took place in early April, when ShinyHunters used a voice phishing (vishing) attack to compromise a Charter employee's Microsoft Entra (Azure AD) single sign-on credentials, according to BleepingComputer. Using those credentials, the attackers accessed Charter's Salesforce customer data platform and exported records spanning both residential and business accounts.

What Was Taken

ShinyHunters claims the stolen dataset includes customer names, email addresses, physical addresses, phone numbers, service plan details, and support ticket content from Charter's Salesforce environment. The group has put the record count at 40 million, which would represent a significant portion of Charter's roughly 32 million broadband subscribers.

Charter's statement was terse: "We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities." The company added that "no sensitive personal information or customer proprietary network information was exfiltrated by the threat actor." That characterization — which appears to pivot on a narrow definition of "sensitive PI" that may not include names, addresses, and phone numbers — conflicts with the scope of what ShinyHunters claims to have in hand. The extent of the actual exposure remains unverified independently.

ShinyHunters' Escalating SaaS Campaign

This breach is the latest in an extended campaign by ShinyHunters that follows a consistent pattern: vishing attacks against employees or BPO (business process outsourcer) contractors to steal SSO credentials, followed by data exfiltration from connected SaaS applications — Salesforce in particular — and then extortion. The group has executed the same playbook against multiple targets in recent months.

Instructure, the company behind the Canvas learning management system used by millions of students and faculty at universities and schools, was hit using the same method. ShinyHunters reportedly reached an undisclosed "agreement" with Instructure following the theft of tens of millions of student records — language that typically implies a ransom payment. The 7-Eleven chain also disclosed a breach attributed to ShinyHunters this week, with 183,000 customer records confirmed stolen.

The pattern highlights a shift in how large data thefts are being executed. Rather than exploiting unpatched server vulnerabilities, ShinyHunters is systematically compromising human operators — the credentials that connect employees to cloud platforms — and then harvesting data from those platforms directly. No zero-day required; social engineering plus valid SSO credentials provides the same access level as a direct server compromise, with less technical risk and fewer forensic artifacts.

What Spectrum Customers Should Do

Charter has not yet said whether it will notify affected customers directly. Given the data types ShinyHunters claims to hold — home addresses, phone numbers, service plan information — customers should be alert to targeted phishing attempts and SIM-swap attacks using this information. Anyone receiving unexpected contact claiming to be from Spectrum, or noticing unusual changes to their phone service, should contact Charter directly through official channels rather than responding to inbound communications.

The Salesforce breach vector is also worth attention for enterprise security teams. Organizations that use Salesforce as a customer data repository should review which employee accounts have Salesforce export permissions, whether those accounts are protected by phishing-resistant MFA (hardware keys or passkeys rather than SMS or TOTP), and whether their Salesforce instances have export activity monitoring and alerting in place.