ShinyHunters Breached Charter Communications via a Vishing Call — 4.9 Million Customer Records Exposed

Charter Communications, the parent company of Spectrum internet, cable, and television services, has confirmed a significant data breach affecting millions of its customers. The breach, which began on April 1, 2026, went undisclosed for more than seven weeks — a delay that raises serious questions about the company's obligations to its customers and regulators.

How It Happened

The intrusion began not with a sophisticated zero-day exploit or a complex piece of malware, but with a phone call. On April 1, 2026, threat actors from the ShinyHunters group called a Charter Communications employee and impersonated a trusted party — a classic vishing (voice phishing) technique. The call was convincing enough to trick the employee into surrendering their Microsoft Entra (formerly Azure Active Directory) credentials.

With those credentials in hand, the attackers had legitimate access to Charter's identity infrastructure. They used that access to pivot into Charter's Salesforce CRM environment, where the company manages customer relationships, service records, and support interactions. Once inside Salesforce, they exported a substantial dataset of customer records. The attack chain — vishing call, stolen Entra credentials, Salesforce exfiltration — is becoming a documented playbook that multiple threat groups are now executing against large enterprises.

What Was Taken and Who's Affected

According to Charter's disclosure and supporting analysis, the stolen data includes customer names, email addresses, physical mailing addresses, phone numbers, service plan details, and customer support ticket records. This combination of data is particularly dangerous because it enables highly targeted follow-on attacks: spear phishing emails that reference real account details, phone scams that use accurate service information to impersonate Charter support, and social engineering attacks against other accounts using stolen credentials.

The scale of the breach is disputed. ShinyHunters claimed to have stolen between 40 and 42 million customer records. However, Troy Hunt's analysis via Have I Been Pwned — which deduplicates records across datasets — identified approximately 4.9 million unique individuals in the published data. Other analyses of the leaked files have reported figures ranging from 13 million to 42 million rows, depending on methodology and which datasets are counted.

Charter Communications disputes claims about Customer Proprietary Network Information (CPNI) being stolen. CPNI is a federally protected category of telecommunications data that includes call records, usage patterns, and network activity. Charter maintains that only data within its "sales tools" — meaning Salesforce — was accessed, and that core network systems were not compromised. ShinyHunters and independent researchers have contested this characterization. The CPNI question matters significantly: if CPNI was taken, Charter faces heightened regulatory obligations under FCC rules.

The Disclosure Timeline

Charter became aware of the breach in early April 2026. The company did not publicly disclose the incident until late May 2026 — more than seven weeks after the initial compromise. During that window, customers whose data had been stolen had no way of knowing their information was in the hands of a ransomware extortion group.

U.S. telecommunications companies are subject to FCC data breach notification rules, which require notification to the Commission and to affected customers "without unreasonable delay" — and in some circumstances within 30 days. State laws add additional layers: California's CCPA, for instance, requires notification in "the most expedient time possible." Whether Charter's seven-plus-week timeline constitutes compliance or a violation is a question that regulators may now be examining.

The timing of the public disclosure coincides with ShinyHunters beginning to publish the stolen data on their dark web leak site — suggesting that Charter's hand may have been forced by the imminent or actual publication of customer records, rather than a proactive decision to notify customers.

ShinyHunters' Track Record

ShinyHunters is not a new or unknown threat actor. The group has been one of the most prolific ransomware and data extortion operations in recent years. In 2024 alone, they were responsible for the Ticketmaster breach — widely reported as one of the largest in history, affecting approximately 560 million records. That same year, they exploited credentials of Snowflake customers in a campaign that hit dozens of major corporations, including AT&T, which suffered a massive breach of call records affecting hundreds of millions of customers.

The group's operational model is consistent: identify a high-value target, obtain credentials through social engineering or credential stuffing, access cloud-hosted data platforms (Salesforce, Snowflake, and similar SaaS tools are recurring targets), exfiltrate data, demand ransom, and publish when the target refuses to pay. Charter appears to have refused to pay, and ShinyHunters followed through on publication.

The Vishing Problem

What makes the Charter breach particularly instructive is its entry point. The attack did not begin by defeating any technical security control. It began by talking to a human being on the phone. Vishing — voice phishing — has become a central technique for major threat groups operating against large enterprises. The MGM Resorts breach in 2023, widely attributed to actors linked to the Scattered Spider collective, began with a call to the MGM help desk. The pattern keeps repeating.

Technical defenses — firewalls, endpoint detection, multi-factor authentication, SIEM monitoring — provide no protection against a well-crafted phone call that exploits an employee's trust, authority bias, and desire to be helpful. The solution requires a different kind of investment: rigorous verification protocols for credential resets and access provisioning, regular employee training with realistic vishing simulations, and strict out-of-band confirmation requirements for any sensitive access granted by phone.

Until organizations treat the human attack surface with the same rigor they apply to technical vulnerabilities, breaches like Charter's will continue to be the norm rather than the exception.

What Charter Customers Should Do

If you are or were a Spectrum customer, there are practical steps you should take now. First, check whether your email address appears in the breach by visiting Have I Been Pwned (haveibeenpwned.com). If your data is confirmed exposed, be especially vigilant about phishing emails that reference your real Charter account details — attackers now have the information to make those emails look very convincing.

Because physical addresses were reportedly among the stolen data fields, customers should also consider placing a credit freeze with the three major bureaus (Equifax, Experian, TransUnion) to prevent fraudulent account openings using your address. Monitor your Charter account for any unauthorized changes to service plans or contact information, and be skeptical of any inbound calls claiming to be from Charter support — the stolen support ticket data gives attackers knowledge of your actual service history.

The Bigger Problem

The breach itself — as serious as it is — may not be the most significant issue here. Millions of customer records stolen by a known ransomware group is a bad day for Charter. But the seven-week gap between breach and disclosure is a different kind of failure: a failure of corporate responsibility to the customers who trusted Charter with their personal information.

During those seven weeks, Charter customers were exposed to phishing, fraud, and identity theft risks they knew nothing about. Regulators at the FCC and state attorneys general will likely scrutinize that timeline carefully. The question of whether Charter's disclosure met legal requirements — or whether it was triggered by ShinyHunters beginning to publish rather than by any proactive decision to notify — will shape how this story ends for the company's legal and regulatory standing.

The breach is done. The data is out. What happens next depends on whether regulators decide that a seven-week silence in the face of a known intrusion is acceptable — and whether the answer to that question carries any meaningful consequences.