Charter Communications Data Breach Exposes 42 Million Records

Charter Communications confirmed a data breach this week after the ShinyHunters extortion group threatened to release stolen customer data unless the company paid a ransom. The group claims to have pulled more than 42 million records from Charter's systems, a number that exceeds the company's total active customer base. Charter, which operates across the United States under the Spectrum brand, acknowledged the incident but disputes the scale and sensitivity of what was taken.

How ShinyHunters Got In

The attack began on April 1. ShinyHunters claims a voice phishing call, also known as vishing, was enough to compromise an employee's Microsoft Entra account. No malware. No zero-day exploit. A convincing phonecall targeting a single worker opened the door.

Once inside, the group moved directly to Charter's Salesforce environment and began exporting customer records. The method fits a well-documented pattern. ShinyHunters has spent the past year running coordinated vishing campaigns against enterprise cloud infrastructure, using stolen single sign-on credentials to pivot into SaaS platforms and extract data at scale.

What the Stolen Records Contain

According to the threat actor, the breach exposed customer names, email addresses, physical addresses, phone numbers, account plan details, and support ticket data. ShinyHunters also claims the haul includes some customer proprietary network information, data that, for telecom providers, covers call details, service subscriptions, and usage patterns regulated by the FCC.

Charter's official position contradicts that claim. The company stated that no sensitive personal information and no customer proprietary network information was exfiltrated. It has not commented directly on the attackers' more granular data claims and has referred further inquiries back to its original statement.

The 42 million figure is worth scrutinising. Charter serves roughly 32 million residential and business customers. The gap likely reflects duplicate entries and former customers included in the exported data, common in large CRM environments, but the raw volume still points to a significant extraction from a live production system.

A Deadline That Has Now Passed

ShinyHunters posted Charter to its leak site with a hard deadline: open negotiations by May 27, 2026, or the data goes public. That deadline is today.

The group's track record on follow-through is consistent. When targets do not engage, stolen data typically surfaces on dark web forums or gets sold to third parties. Whether Charter has made any contact with the attackers is unknown. The company has not publicly addressed the deadline or confirmed what happens next.

ShinyHunters' Broader Salesforce Campaign

The Charter incident sits inside a much larger operation. ShinyHunters has claimed responsibility for breaching more than 1,000 organisations through a sustained campaign targeting Salesforce environments, with an alleged 1.5 billion records stolen across those intrusions. The attack chain relies on vishing to harvest SSO credentials, OAuth token abuse through third-party integrations, and device code phishing to maintain persistent access.

Earlier in 2026, the group claimed breaches at Panera, Aura, and ADT, all affecting millions of consumers. Instructure, the education software provider behind Canvas, was also hit. The pattern is consistent: identify a cloud-connected enterprise, exploit its authentication layer through social engineering, and extract as much data as possible before issuing an extortion demand.

Charter is a high-value target. As one of the largest broadband and mobile providers in the country, its Salesforce instance would contain dense, commercially sensitive customer data, exactly the kind ShinyHunters monetises most effectively.

What Charter Has Said and Not Said

Charter confirmed the incident and said it is following its security protocols while alerting authorities. Beyond that, the company has released little. It has not confirmed how many customers are affected, whether individual notifications will be sent, or how the attackers moved through its systems after gaining initial access.

That silence has limits. Depending on the nature of the data ultimately confirmed as stolen, telecom providers face notification obligations under FCC rules and, in many cases, state-level breach disclosure laws. If CPNI exposure is later verified, the regulatory stakes rise considerably.

What Spectrum Customers Should Do Now

Customers with Spectrum accounts should treat this as an active threat until Charter provides a clearer account of what was taken. Practically, that means a few immediate steps.

Change your Spectrum account password and set a unique one not used elsewhere. Review any linked payment methods for unusual charges. Be alert to phishing emails or calls that reference your account, plan details, or support history. Attackers with that data can craft highly convincing impersonation attempts. If Charter confirms broader data exposure in the coming days, consider placing a credit freeze as a precaution.

The Charter Communications data breach is still developing. The company has confirmed the incident but has yet to close the gap between its public statements and what the attackers claim to hold. Until that gap narrows, the risk to affected customers remains open.