THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-006
CYBER · ransomware threat groups · 2026-05-29SCOOP 79

Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectrum records, Charter denies CPNI loss

Charter Communications confirmed a data breach after the extortion group ShinyHunters listed the company and threatened to leak stolen data.

·FILED ISSUE 2026-05-29·1 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • Employee Microsoft Entra account compromised via voice phishing (vishing) on April 1, 2026; access used to export records from Salesforce
  • ShinyHunters claims roughly 40 million (other reporting: 42 million) customer records stolen
  • Charter statement: 'no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated'
  • Subsequent leaks reportedly exposed at least 13 million individuals (primarily Spectrum Enterprise customers), including ~4.9 million unique email addresses and ~85,000 internal employee-directory records with job titles
  • Same vishing-to-Entra-to-Salesforce playbook ShinyHunters (overlapping Scattered Spider / 'Scattered LAPSUS$ Hunters') ran against dozens of Salesforce customers in 2025-2026; mirrors concurrent Carnival breach

VERDICT — CONFIRMED

high confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectrum records
Image via primary source

Charter Communications confirmed a data breach after the extortion group ShinyHunters listed the company and threatened to leak stolen data. Per BleepingComputer, threat actors compromised an employee's Microsoft Entra account via voice phishing (vishing) on April 1, 2026, then used that access to export customer records from Charter's Salesforce environment.

ShinyHunters claims it stole roughly 40 million (other reporting: 42 million) customer records, while Charter declined to specify a number and stated that 'no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated.' That denial directly conflicts with ShinyHunters' claim that some CPNI, names, emails, physical addresses, phone numbers, phone type, plan details and support-ticket data were taken; subsequent leaks reportedly exposed at least 13 million individuals (primarily Spectrum Enterprise customers), including about 4.9 million unique email addresses plus names, phone numbers and addresses, and roughly 85,000 records from an internal employee directory with job titles. The breach mechanism, vishing to hijack Entra ID then pivot to Salesforce, is the same playbook ShinyHunters (overlapping with Scattered Spider / 'Scattered LAPSUS$ Hunters') has run against dozens of Salesforce customers in 2025-2026, and mirrors the concurrent Carnival breach.

The Charter case is notable for the public factual dispute between victim and attacker over whether regulated CPNI, which carries FCC implications for a telecom, was actually stolen. Charter said it is notifying authorities and following security protocols.

Key facts on file

  • Employee Microsoft Entra account compromised via voice phishing (vishing) on April 1, 2026; access used to export records from Salesforce
  • ShinyHunters claims roughly 40 million (other reporting: 42 million) customer records stolen
  • Charter statement: 'no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated'
  • Subsequent leaks reportedly exposed at least 13 million individuals (primarily Spectrum Enterprise customers), including ~4.9 million unique email addresses and ~85,000 internal employee-directory records with job titles
  • Same vishing-to-Entra-to-Salesforce playbook ShinyHunters (overlapping Scattered Spider / 'Scattered LAPSUS$ Hunters') ran against dozens of Salesforce customers in 2025-2026; mirrors concurrent Carnival breach
  • CPNI carries FCC implications for a telecom

PRIMARY SOURCE

BleepingComputer — Lawrence Abrams (2026-05-26)
· fetched at filing · archived at publication
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-006 · filed 2026-05-29 · https://thedwire.com/wire/cyb-2026-06-006-charter-confirms-shinyhunters-breach-via-entra-vishing.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Carnival Confirms ~6 Million Affected After April Social-Engineering Breach Clai
Photo: Maryland GovPics · via Wikimedia Commons · CC BY 2.0
CYBER · SCOOP 66

Carnival Confirms ~6 Million Affected After April Social-Engineering Breach Claimed by ShinyHunters

Carnival Corporation confirmed a data breach affecting approximately six million individuals, stemming from a social-engineering attack on an employee in April 2026. The company says an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of its IT systems on or around April 10, 2026; Carn

✓ verified
READ THE FILE ›
FBI warns Silent Ransom Group is posing as IT helpdesks — and walking operatives
Getty Images via CyberScoop
CYBER · SCOOP 62

FBI warns Silent Ransom Group is posing as IT helpdesks — and walking operatives into US law firms

The FBI warned in a May 26 advisory that the Silent Ransom Group (SRG) — the data-theft extortion crew also tracked as Luna Moth, Chatty Spider and UNC3753 — has "consistently targeted U.S.-based law firms" and has recently begun posing as employees from victims' own IT departments, with the alert rippling through the legal and security t

✓ verifiednewSOURCE ↗
READ THE FILE ›
Charter (Spectrum) Confirms Breach After ShinyHunters Vishing Hits Salesforce; H
BleepingComputer
CYBER · SCOOP 75

Charter (Spectrum) Confirms Breach After ShinyHunters Vishing Hits Salesforce; Hackers Claim Up to 42M Records

Charter Communications confirmed a data breach after the extortion group ShinyHunters claimed to have stolen up to 40-42 million records in an attack dated on or around April 1, 2026. According to ShinyHunters' account to BleepingComputer, the actors used a voice-phishing (vishing) call to compromise an employee's Microsoft Entra account,

✓ verified
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.