Charter Communications data breach affects 4.9 million accounts

CHARTER COMMUNICATIONS DATA BREACH AFFECTS 4.9 MILLION ACCOUNTS

Overview

A large-scale data breach tied to Charter Communications has been linked to the ShinyHunters extortion gang. Public notifications place the affected figure at 4.9 million accounts, according to Have I Been Pwned, a breach notification service.
Charter, a major U.S. telecom operator under the Spectrum brand, confirmed a security incident earlier in May, stating that no sensitive personal information (PII) or customer proprietary network information (CPNI) data was exfiltrated as a result of the activity. Authorities were alerted, and the company indicated it is continuing to investigate.
The attackers claim to have used a voice phishing (vishing) operation to compromise an employee’s Microsoft Entra account on April 1, gaining access to internal systems. The group asserts they siphoned data from Charter’s Salesforce instance, and subsequently leaked stolen material after Charter declined a ransom.

What Happened and Who Was Involved

Initial access and entry: The Extortion group alleges that a vishing attack successfully compromised an employee’s Microsoft Entra account, providing a foothold inside Charter’s environment.
Lateral movement and data access: With that foothold, the group claims access to additional systems, including the Salesforce environment used by Charter to manage customer information.
Extortion and leakage: After Charter refused to pay any ransom, ShinyHunters reportedly published parts of the stolen data on their dark web leak site.
Responsibility and attribution: Charter has not publicly attributed the attack to a specific actor beyond acknowledging the incident and stating no sensitive data was exfiltrated. The extortion group publicly claimed responsibility and provided details about their claimed access and data theft.

Data Exposed and What It Entails

4.9 million accounts affected: Public analysis by Have I Been Pwned indicates that names, email addresses, job titles (for a subset), phone numbers, and physical addresses were exposed for these accounts.
Job titles exposed: Approximately 85,000 records originating from an internal directory included job titles, suggesting an internal employee dataset was accessed in part.
Salesforce data claims: The intruder group asserted that they stole about 42 million records from Charter’s Salesforce instance, covering consumer and business customer data such as names, email addresses, physical addresses, phone numbers, plan details, support tickets, and some CPNI data. Charter has not independently confirmed these numbers.
CPNI and PII considerations: Charter stated that no sensitive personal information or CPNI was exfiltrated as part of the recent activity. Whether any additional CPNI data was ultimately accessed remains a point of inquiry, and Have I Been Pwned’s analysis focused on the 4.9 million accounts rather than the broader Salesforce claim.

Characterizing the Breach Timeline

April 1: Reported initial access via vishing attack targeting an employee, enabling foothold into Charter’s environment.
Early April: Charter detected suspicious activity and notified authorities; public communications emphasized that sensitive PII and CPNI were not exfiltrated.
May: The breach came into public focus through Have I Been Pwned’s analysis, which identified 4.9 million affected accounts.
Post-breach disclosures: The ShinyHunters leak site published the data after Charter declined ransom, prompting ongoing investigation and monitoring by affected stakeholders and authorities.

Charter’s Response and Public Communication

Official stance: Charter confirmed the breach, indicated no sensitive PII or CPNI was exfiltrated, and noted that authorities had been alerted. The company did not provide extensive details beyond those statements.
Extortion dynamics: The attackers publicly claimed additional data theft from Salesforce, but Charter did not corroborate those broader claims in its public statements.
Ongoing investigations: The company signaled that it remains engaged in the investigation and in communications with law enforcement, while continuing to assess the impact on customers and operations.

Threat Actor Profile and Industry Context

Group involved: ShinyHunters, a cybercrime collective known for extortion-based breaches and data theft campaigns across multiple industries, including Salesforce environments and various enterprise platforms.
Historical activity: ShinyHunters has advertised large-scale exfiltration events across organizations globally, often followed by ransom demands and public data leakage.
Broader implications: The Charter incident sits within a pattern of attacks affecting telecommunications and technology service providers, including past incursions by determined state- or non-state-backed groups targeting critical infrastructure and carrier networks.
Related campaigns: The attackers have been linked to other high-profile incidents involving Salesforce-related data theft and campaigns targeting enterprise platforms.

Law Enforcement Guidance and Public Safety Considerations

FBI advisories around ransom demands advise against paying, highlighting that payment does not guarantee the return or destruction of stolen data and may encourage further coercion or resale of exfiltrated information.
The public outlook emphasizes heightened vigilance for affected individuals and organizations, with ongoing investigations to determine the full scope of data exposure and potential secondary impacts.

Broader Context: Salt Typhoon and Industry-Wide Breaches

Salt Typhoon activity: Charter’s systems were reportedly compromised during a wave of breaches attributed to Salt Typhoon, a Chinese state-backed threat group that has impacted a range of telecoms, including AT&T, Verizon, Windstream, Lumen, and others in multiple countries.
Industry risk: The incident illustrates the risk landscape facing large telecom providers, where attackers leverage social engineering, compromised credentials, and targeted access to move laterally into exposed data repositories and customer management systems.

Impact and Implications for Stakeholders

For affected individuals: The exposure of names, emails, addresses, and phone numbers raises concerns about potential phishing, social engineering, and targeted scams, even if the data was not accompanied by full payment card or highly sensitive identifiers.
For organizations: The case underscores the importance of credential hygiene, robust identity management, and multi-factor authentication, as well as ongoing monitoring of enterprise apps like Salesforce and identity platforms that can become vectors for intrusions.
For the industry: The breach reinforces the need for coordinated incident response, transparent communication with customers, and collaboration with law enforcement to disrupt extortion-driven data theft campaigns.

Conclusion: What This Indicates About Data Security Today

The Charter incident highlights a modern threat landscape where a single compromised credential, obtained via social engineering, can enable access to extensive customer data repositories and enterprise platforms.
Even when organizations report no immediate exposure of sensitive data, the leakage of account-level information and ancillary records can have material consequences for customers and brand trust.
The interplay between extortion, data leakage, and ongoing investigations demonstrates why it is crucial for both enterprise security teams and individuals to remain vigilant and prepared for evolving forms of cybercrime.

Related Notes

A number of articles and industry discussions surrounding this incident reference continued scrutiny of ShinyHunters’ activities and the growing use of Salesforce and related ecosystems as targets.
The broader narrative includes other data breach cases where extortion-focused groups claim large-scale data exfiltration, followed by publicized leaks and law enforcement advisories against ransom payments.
The evolving public record may see further updates as Charter and authorities complete their investigations and as more details become available about the scope of data exfiltration, if any, beyond the 4.9 million accounts identified by Have I Been Pwned.

Charter Communications data breach affects 4.9 million accounts

Charter Communications confirms a data breach by the ShinyHunters extortion gang affecting 4.9 million accounts, with the attackers claiming to have stolen 42 million Salesforce records including names, emails, addresses, and phone numbers. Charter says no sensitive PI or CPNI data was exfiltrated and authorities were alerted, but the data was leaked on the dark web after Charter declined ransom; the FBI has advised victims not to pay. The incident forms part of a broader Salt Typhoon campaign that has breached multiple telecoms.

TechLogHub

May 29, 2026

0 views

CHARTER COMMUNICATIONS DATA BREACH AFFECTS 4.9 MILLION ACCOUNTS

Overview

A large-scale data breach tied to Charter Communications has been linked to the ShinyHunters extortion gang. Public notifications place the affected figure at 4.9 million accounts, according to Have I Been Pwned, a breach notification service.
Charter, a major U.S. telecom operator under the Spectrum brand, confirmed a security incident earlier in May, stating that no sensitive personal information (PII) or customer proprietary network information (CPNI) data was exfiltrated as a result of the activity. Authorities were alerted, and the company indicated it is continuing to investigate.
The attackers claim to have used a voice phishing (vishing) operation to compromise an employee’s Microsoft Entra account on April 1, gaining access to internal systems. The group asserts they siphoned data from Charter’s Salesforce instance, and subsequently leaked stolen material after Charter declined a ransom.

What Happened and Who Was Involved

Initial access and entry: The Extortion group alleges that a vishing attack successfully compromised an employee’s Microsoft Entra account, providing a foothold inside Charter’s environment.
Lateral movement and data access: With that foothold, the group claims access to additional systems, including the Salesforce environment used by Charter to manage customer information.
Extortion and leakage: After Charter refused to pay any ransom, ShinyHunters reportedly published parts of the stolen data on their dark web leak site.
Responsibility and attribution: Charter has not publicly attributed the attack to a specific actor beyond acknowledging the incident and stating no sensitive data was exfiltrated. The extortion group publicly claimed responsibility and provided details about their claimed access and data theft.

Data Exposed and What It Entails

4.9 million accounts affected: Public analysis by Have I Been Pwned indicates that names, email addresses, job titles (for a subset), phone numbers, and physical addresses were exposed for these accounts.
Job titles exposed: Approximately 85,000 records originating from an internal directory included job titles, suggesting an internal employee dataset was accessed in part.
Salesforce data claims: The intruder group asserted that they stole about 42 million records from Charter’s Salesforce instance, covering consumer and business customer data such as names, email addresses, physical addresses, phone numbers, plan details, support tickets, and some CPNI data. Charter has not independently confirmed these numbers.
CPNI and PII considerations: Charter stated that no sensitive personal information or CPNI was exfiltrated as part of the recent activity. Whether any additional CPNI data was ultimately accessed remains a point of inquiry, and Have I Been Pwned’s analysis focused on the 4.9 million accounts rather than the broader Salesforce claim.

Characterizing the Breach Timeline

April 1: Reported initial access via vishing attack targeting an employee, enabling foothold into Charter’s environment.
Early April: Charter detected suspicious activity and notified authorities; public communications emphasized that sensitive PII and CPNI were not exfiltrated.
May: The breach came into public focus through Have I Been Pwned’s analysis, which identified 4.9 million affected accounts.
Post-breach disclosures: The ShinyHunters leak site published the data after Charter declined ransom, prompting ongoing investigation and monitoring by affected stakeholders and authorities.

Charter’s Response and Public Communication

Official stance: Charter confirmed the breach, indicated no sensitive PII or CPNI was exfiltrated, and noted that authorities had been alerted. The company did not provide extensive details beyond those statements.
Extortion dynamics: The attackers publicly claimed additional data theft from Salesforce, but Charter did not corroborate those broader claims in its public statements.
Ongoing investigations: The company signaled that it remains engaged in the investigation and in communications with law enforcement, while continuing to assess the impact on customers and operations.

Threat Actor Profile and Industry Context

Group involved: ShinyHunters, a cybercrime collective known for extortion-based breaches and data theft campaigns across multiple industries, including Salesforce environments and various enterprise platforms.
Historical activity: ShinyHunters has advertised large-scale exfiltration events across organizations globally, often followed by ransom demands and public data leakage.
Broader implications: The Charter incident sits within a pattern of attacks affecting telecommunications and technology service providers, including past incursions by determined state- or non-state-backed groups targeting critical infrastructure and carrier networks.
Related campaigns: The attackers have been linked to other high-profile incidents involving Salesforce-related data theft and campaigns targeting enterprise platforms.

Law Enforcement Guidance and Public Safety Considerations

FBI advisories around ransom demands advise against paying, highlighting that payment does not guarantee the return or destruction of stolen data and may encourage further coercion or resale of exfiltrated information.
The public outlook emphasizes heightened vigilance for affected individuals and organizations, with ongoing investigations to determine the full scope of data exposure and potential secondary impacts.

Broader Context: Salt Typhoon and Industry-Wide Breaches

Salt Typhoon activity: Charter’s systems were reportedly compromised during a wave of breaches attributed to Salt Typhoon, a Chinese state-backed threat group that has impacted a range of telecoms, including AT&T, Verizon, Windstream, Lumen, and others in multiple countries.
Industry risk: The incident illustrates the risk landscape facing large telecom providers, where attackers leverage social engineering, compromised credentials, and targeted access to move laterally into exposed data repositories and customer management systems.

Impact and Implications for Stakeholders

For affected individuals: The exposure of names, emails, addresses, and phone numbers raises concerns about potential phishing, social engineering, and targeted scams, even if the data was not accompanied by full payment card or highly sensitive identifiers.
For organizations: The case underscores the importance of credential hygiene, robust identity management, and multi-factor authentication, as well as ongoing monitoring of enterprise apps like Salesforce and identity platforms that can become vectors for intrusions.
For the industry: The breach reinforces the need for coordinated incident response, transparent communication with customers, and collaboration with law enforcement to disrupt extortion-driven data theft campaigns.

Conclusion: What This Indicates About Data Security Today

The Charter incident highlights a modern threat landscape where a single compromised credential, obtained via social engineering, can enable access to extensive customer data repositories and enterprise platforms.
Even when organizations report no immediate exposure of sensitive data, the leakage of account-level information and ancillary records can have material consequences for customers and brand trust.
The interplay between extortion, data leakage, and ongoing investigations demonstrates why it is crucial for both enterprise security teams and individuals to remain vigilant and prepared for evolving forms of cybercrime.

Related Notes

A number of articles and industry discussions surrounding this incident reference continued scrutiny of ShinyHunters’ activities and the growing use of Salesforce and related ecosystems as targets.
The broader narrative includes other data breach cases where extortion-focused groups claim large-scale data exfiltration, followed by publicized leaks and law enforcement advisories against ransom payments.
The evolving public record may see further updates as Charter and authorities complete their investigations and as more details become available about the scope of data exfiltration, if any, beyond the 4.9 million accounts identified by Have I Been Pwned.

Charter Communications data breach affects 4.9 million accounts

More from the Blog

Carnival Cruise confirms data breach affecting nearly 6 million people

Canadian Man Sentenced to 33 Years for Sextortion Targeting 145 U.S. Children

Windows 11 KB5089573 update released with performance improvements

Stay Updated

Charter Communications data breach affects 4.9 million accounts

More from the Blog

Carnival Cruise confirms data breach affecting nearly 6 million people

Canadian Man Sentenced to 33 Years for Sextortion Targeting 145 U.S. Children

Windows 11 KB5089573 update released with performance improvements

Stay Updated