Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectrum records, Charter denies CPNI loss
Charter Communications confirmed a data breach after the extortion group ShinyHunters listed the company and threatened to leak stolen data.
At a glance
- Employee Microsoft Entra account compromised via voice phishing (vishing) on April 1, 2026; access used to export records from Salesforce
- ShinyHunters claims roughly 40 million (other reporting: 42 million) customer records stolen
- Charter statement: 'no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated'
- Subsequent leaks reportedly exposed at least 13 million individuals (primarily Spectrum Enterprise customers), including ~4.9 million unique email addresses and ~85,000 internal employee-directory records with job titles
- Same vishing-to-Entra-to-Salesforce playbook ShinyHunters (overlapping Scattered Spider / 'Scattered LAPSUS$ Hunters') ran against dozens of Salesforce customers in 2025-2026; mirrors concurrent Carnival breach
VERDICT — CONFIRMED
Charter Communications confirmed a data breach after the extortion group ShinyHunters listed the company and threatened to leak stolen data. Per BleepingComputer, threat actors compromised an employee's Microsoft Entra account via voice phishing (vishing) on April 1, 2026, then used that access to export customer records from Charter's Salesforce environment.
ShinyHunters claims it stole roughly 40 million (other reporting: 42 million) customer records, while Charter declined to specify a number and stated that 'no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated.' That denial directly conflicts with ShinyHunters' claim that some CPNI, names, emails, physical addresses, phone numbers, phone type, plan details and support-ticket data were taken; subsequent leaks reportedly exposed at least 13 million individuals (primarily Spectrum Enterprise customers), including about 4.9 million unique email addresses plus names, phone numbers and addresses, and roughly 85,000 records from an internal employee directory with job titles. The breach mechanism, vishing to hijack Entra ID then pivot to Salesforce, is the same playbook ShinyHunters (overlapping with Scattered Spider / 'Scattered LAPSUS$ Hunters') has run against dozens of Salesforce customers in 2025-2026, and mirrors the concurrent Carnival breach.
The Charter case is notable for the public factual dispute between victim and attacker over whether regulated CPNI, which carries FCC implications for a telecom, was actually stolen. Charter said it is notifying authorities and following security protocols.
Key facts on file
- Employee Microsoft Entra account compromised via voice phishing (vishing) on April 1, 2026; access used to export records from Salesforce
- ShinyHunters claims roughly 40 million (other reporting: 42 million) customer records stolen
- Charter statement: 'no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated'
- Subsequent leaks reportedly exposed at least 13 million individuals (primarily Spectrum Enterprise customers), including ~4.9 million unique email addresses and ~85,000 internal employee-directory records with job titles
- Same vishing-to-Entra-to-Salesforce playbook ShinyHunters (overlapping Scattered Spider / 'Scattered LAPSUS$ Hunters') ran against dozens of Salesforce customers in 2025-2026; mirrors concurrent Carnival breach
- CPNI carries FCC implications for a telecom


