Back

Charter Communications Data Breach Exposes 4.9 Million Accounts

Severity: Medium (Score: 51.9)

Sources: Bleepingcomputer, haveibeenpwned.com

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: charter, communications, data, breach, million, accounts, company

Severity indicators: breach, data breach

Summary

In early April 2026, Charter Communications suffered a data breach affecting 4.9 million accounts, attributed to the ShinyHunters extortion gang. The attackers accessed an employee's Microsoft Entra account via a voice phishing attack, allowing them to steal data from the company's Salesforce instance. The stolen information includes names, email addresses, physical addresses, phone numbers, and job titles from an internal directory. Charter confirmed the breach but stated that no sensitive personal information or customer proprietary network information was exfiltrated. After Charter refused to pay the ransom, ShinyHunters leaked the stolen data on their dark web site. The FBI has advised victims not to comply with ransom demands, as it does not guarantee the return or destruction of stolen data. Key Points: • 4.9 million accounts affected by Charter Communications data breach. • Attackers used voice phishing to compromise an employee's Microsoft Entra account. • ShinyHunters extortion gang claimed responsibility and leaked the stolen data.

Detailed Analysis

**Impact** The breach affected 4.9 million Charter Communications accounts, including consumer and business customers across 41 U.S. states. Exposed data includes names, email addresses, phone numbers, physical addresses, and for approximately 85,000 internal employees, job titles. Charter confirmed no sensitive personal information (PII) or customer proprietary network information (CPNI) was exfiltrated according to their statement, though some CPNI data was claimed stolen by the threat actor. The incident impacts the telecommunications sector and potentially compromises customer trust and operational security. **Technical Details** The attack began with a voice phishing (vishing) campaign on April 1, which compromised an employee’s Microsoft Entra account. The threat actor, the ShinyHunters extortion group, accessed and exfiltrated 42 million records from Charter’s Salesforce instance, including customer and employee data. The group published the stolen data on a dark web leak site after Charter refused ransom demands. No specific malware, CVEs, or infrastructure details were disclosed in the sources. **Recommended Response** Organizations should immediately enforce multi-factor authentication (MFA) on all critical accounts, especially cloud services like Microsoft Entra and Salesforce. Monitor for suspicious access patterns and unauthorized data exfiltration attempts related to Salesforce environments. Customers and employees should change passwords and enable 2FA on affected accounts. No specific patches or IOCs were provided; defenders should focus on detecting vishing attempts and securing identity and access management controls.

Source articles (2)

  • Charter Communications data breach affects 4.9 million accounts — Bleepingcomputer · 2026-05-29
    The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking the U.S. telecom giant Charter Communications in early April, according to data breach notification s…
  • Charter — haveibeenpwned.com · 2026-05-29
    In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" ex…

Timeline

  • 2026-04-01 — Charter Communications breached: ShinyHunters accessed Charter's systems through a voice phishing attack, compromising an employee's account.
  • 2026-05-29 — Data leak confirmed: ShinyHunters published the stolen data, exposing 4.9 million email addresses and other personal information.
  • 2026-05-29 — Charter confirms breach: Charter Communications acknowledged the breach and stated that no sensitive personal information was exfiltrated.

Related entities

  • Salt Typhoon (Apt Group)
  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Salesloft Drift Campaign (Campaign)
  • Drift (Campaign)
  • AT&T (Company)
  • Charter Communications (Company)
  • Consolidated Communications (Company)
  • Lumen (Company)
  • Verizon (Company)
  • Windstream (Company)
  • Salesforce (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Telecommunications (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Microsoft Entra (Platform)
  • Salesforce Aura (Platform)
  • Salesloft (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed