Charter Communications (Spectrum)

On April 1, 2026, ShinyHunters initiated a voice phishing attack against a Charter Communications employee. The call compromised the employee's Microsoft Entra (Azure AD) credentials. From there, attackers pivoted to Charter's Salesforce instance and began exporting customer data. ShinyHunters issued a final warning on May 23, with a deadline of May 27 to pay or face a full data leak.

ShinyHunters claims 42 million records containing names, email addresses, physical addresses, phone numbers, plan details, support ticket data—and customer proprietary network information (CPNI). CPNI is essentially a record of your call history, service details, and usage patterns. It's regulated data under federal telecommunications law.

Charter disputes the CPNI claim. They stated: "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated." ShinyHunters told reporters they specifically grabbed CPNI. Someone isn't telling the truth.

Charter Communications serves tens of millions of customers through its Spectrum brand—internet, cable TV, and phone services. If 42 million records were actually taken, that could represent a significant portion of their entire customer base.

Names, addresses, and phone numbers enable targeted phishing. Plan details reveal how much customers pay and which services they use—intelligence for upsell scams impersonating Spectrum. If CPNI was taken, attackers have call patterns and usage data that can be used for surveillance, stalking, or social engineering.

Using Microsoft Entra for identity management. Using Salesforce for customer relationship management. Both are enterprise-grade platforms with extensive security controls, compliance certifications, and dedicated security teams. Charter likely had MFA enabled, security awareness training, and incident response procedures in place.

But voice phishing bypasses technical controls by targeting humans. The attacker doesn't exploit a vulnerability in Microsoft or Salesforce—they exploit trust. One convincing phone call, one employee who believed they were talking to IT support or a legitimate caller, and the entire chain of enterprise security tools becomes irrelevant.

The conflicting claims about CPNI are revealing. Either Charter knows exactly what was in their Salesforce instance and is correctly stating CPNI wasn't there—or they're discovering the scope of their data exposure in real time while publicly denying the worst-case scenario.

42 million records is a lot of data to export. That kind of bulk extraction should trigger alerts, rate limiting, or anomaly detection. Unless the access patterns looked normal for the compromised account. Unless nobody had visibility into what a single Salesforce user could export in one session.

Charter confirmed the incident: "We are aware of the situation, following our security protocols, and are in the process of alerting appropriate authorities." But the May 27 deadline creates urgency. Either Charter pays, or the data goes public.

ShinyHunters has been running this playbook against Salesforce-using organizations for months. 7-Eleven. Udemy. Vimeo. The attack pattern is consistent: compromise credentials through phishing or third-party breaches, pivot to Salesforce, export everything accessible. Charter is the latest—and largest—target.