Charter confirms – Charter Communications says it suffered a data breach after the ShinyHunters extortion group threatened to leak customer data unless a ransom was paid. The company says it has found no evidence that sensitive personal information or customer proprietary networ
On the same weekend the ShinyHunters extortion group put Charter Communications on its data leak site, the U.S. broadband provider moved to close the loop internally and externally—confirming that it was dealing with a breach tied to the group’s threat.
Charter says it is alerting authorities following the incident, and it insists that no sensitive personal customer information was taken. In a statement shared this weekend, the company said it is “in the process of alerting appropriate authorities” and that it is following its “security protocols.”
“We are aware of the situation,” Charter told BleepingComputer.
“No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity.”
The dispute is the story. While Charter’s statement focuses on what it says did not leave its systems, the ShinyHunters listing tells a different picture—at least in what attackers are claiming.
Charter is one of the largest broadband providers in the United States. serving tens of millions of residential and business customers through its Spectrum brand. The threat follows Charter’s appearance on the ShinyHunters data leak site. where attackers said they stole 40 million records containing personal information of consumer and business customers.
ShinyHunters also told BleepingComputer that it breached Charter on April 1 using a voice phishing (vishing) attack. The group said the vishing campaign compromised an employee’s Microsoft Entra account. From there. the attackers claimed they used the access to export millions of consumer and business customer records from Charter’s Salesforce instance.
In the threat actor’s account, the stolen records include customer names, email addresses, addresses, phone numbers, phone type, plan information, and some CPNI data. The attackers also claimed to have stolen customer support ticket data.
Charter’s public response did not repeat those specifics. When BleepingComputer reached back out about additional claims from the threat actor—specifically that more customer data, including some CPNI, was stolen—Charter pointed the follow-up back to its original statement.
The pressure behind extortion isn’t new, and the methods keep circling back to the same weak points: employee logins and single sign-on.
Since last year. ShinyHunters has been conducting widespread social engineering campaigns that target employees and BPO agents’ Microsoft Entra. Okta. and Google SSO accounts. After gaining access to a corporate SSO account. the attackers steal data from connected SaaS applications. including Salesforce. Microsoft 365. Google Workspace. SAP. Slack. Adobe. Atlassian. Zendesk. Dropbox. and many others.
That data is then used to extort the victim—threatening to leak stolen files unless a ransom is paid.
Salesforce has been a repeated target for the extortion gang. The attackers have breached numerous integration companies in the past to steal OAuth tokens. which can then be used to access Salesforce instances. More recently. ShinyHunters also carried out multiple attacks against the education technology firm Instructure. which led to Canvas outages and theft of data from tens of millions of students.
Instructure said it ultimately reached an “agreement” with the extortion gang, implying a ransom payment to prevent public release.
For Charter. the immediate question is where the truth lands between the attackers’ claimed haul and the company’s insistence that sensitive personal information and CPNI were not exfiltrated. What Charter has confirmed so far is that the incident is real enough to prompt notification of authorities. and that its investigation is built around one clear line: what was taken. and what wasn’t.
Until investigators and internal review fully reconcile the competing claims—40 million records on a leak site versus Charter’s denial of sensitive personal data and CPNI leaving its environment—customers and businesses tied to Spectrum will be left with the same uneasy uncertainty that comes with modern extortion: the threat doesn’t just target systems. it targets trust.
Charter Communications Spectrum ShinyHunters data breach extortion ransom vishing Microsoft Entra Salesforce CPNI customer data cybersecurity
So they paid or what? Seems like they always do.
“No sensitive info” yeah ok. If it was nothing why are there 40 million records in the first place? I don’t trust any of these companies anymore.
I skimmed and I think the part about voice phishing is the scary one. Like you just answer the phone and boom your account is gone? Also Charter better tell people to change passwords like yesterday.
ShinyHunters always sounds like fake hacker movie names lol, but if it’s real then Charter probably leaked it themselves. Companies “confirm” breach after the group threatens… so basically they waited until it was public. And “not exfiltrated” is kinda convenient wording. I mean, April 1 vishing, May leak site, then authorities… this timeline feels sus.