ShinyHunters has published data stolen from Charter Communications, one of the largest cable and broadband providers in the United States, after Charter declined to meet an extortion deadline of May 27. Have I Been Pwned has confirmed at least 4.9 million customer records in the leaked dataset; ShinyHunters claims the total is 42 million. Charter has acknowledged the breach but asserts that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated — a distinction the volume of published data makes difficult to sustain in public.
How the Breach Occurred
The intrusion followed a vishing attack. An attacker contacted Charter employees by phone, impersonated an internal party or trusted third party, and socially engineered an employee into granting access to a Microsoft Entra (formerly Azure AD) account. With that foothold, the attacker pivoted into Charter’s Salesforce CRM environment, from which the customer and employee records were extracted.
The confirmed dataset includes full names, email addresses, residential and business addresses, and approximately 27,000 employee records containing work emails, job titles, and some home addresses. The 42 million figure ShinyHunters claims represents their full alleged scope; the independently confirmed 4.9 million is the verified subset.
Context: ShinyHunters’ Current Operational Posture
ShinyHunters is a financially motivated extortion group with a documented track record of high-volume data theft operations across North America and Europe. The group does not encrypt victim environments — their leverage is threatened publication of exfiltrated data, and they have a consistent record of following through when ransoms are not paid. Charter joins a list of recent ShinyHunters targets including Carnival Corporation, whose breach was announced in the same disclosure cycle.
The attack vector here is significant. Vishing remains underweighted as a threat relative to phishing in most enterprise training programmes, yet it bypasses many technical controls entirely. The Microsoft Entra pivot is consistent with a pattern observed across multiple 2026 incidents: telephone-based social engineering to obtain SSO or identity platform access, followed by lateral movement through SaaS environments integrated with that identity provider. Salesforce is a particularly high-yield target in this pattern because CRM platforms aggregate customer PII at scale and are routinely granted broad integrations across the enterprise.
Implications for Communications Sector Operators
Telecom and cable operators hold unusual data density relative to other sectors: customer identity, billing information, service address, account history, and sometimes device inventory. Regulatory obligations in this space are also more stringent — CPNI data carries specific FCC protections, and disclosure timelines for affected customers are mandated. Charter’s claim that no CPNI was extracted will be scrutinised by regulators regardless of the final confirmed record count.
The Salesforce-as-exfiltration-target pattern is worth flagging beyond the communications sector. Any organisation with a Salesforce deployment integrated into its Entra ID or Okta identity provider should audit which accounts have Salesforce access, review Entra Conditional Access policies governing that access, and ensure that voice-based social engineering scenarios are included in privileged access training.
Recommended Actions
- Audit Entra/Okta conditional access for accounts with access to Salesforce, Dynamics, or other CRM platforms. Require phishing-resistant MFA (FIDO2/hardware token) for all CRM-connected identities — SMS and voice OTP are insufficient against determined vishing.
- Implement voice authentication controls for helpdesk and IT support workflows that can result in account access being granted or reset. Challenge phrases, callback to registered numbers, and manager approval requirements all raise the cost of a vishing attack significantly.
- CRM data minimisation review. Determine whether the breadth of customer records held in Salesforce or similar platforms reflects actual operational need, or historical data accumulation. Records that are not retained cannot be exfiltrated.
- Monitor for ShinyHunters targeting indicators. The group typically initiates contact prior to publishing data. If your organisation receives an extortion communication referencing a data breach, engage legal counsel and your incident response retainer before responding.