A Single Phone Call Cost Charter Communications 40 Million Customer Records—ShinyHunters Walked Into the Spectrum Salesforce Through One Vished Microsoft Entra Account on April 1 and Spent Eight Weeks Inside Before Charter Said a Word

On April 1, 2026, a Charter Communications employee answered a phone call. Eight weeks later, on May 26, the company finally acknowledged that the person on the other end was not from IT—and that 40 million Spectrum customer records had already left the building. The attackers ignored Charter's denials, ignored the May 27 extortion deadline, and started dumping the data anyway.

Key Takeaways

• ShinyHunters compromised one Charter employee's Microsoft Entra ID account on April 1, 2026 through a voice phishing call and used it to log into Charter's Salesforce instance.
• The threat group claims 40 million records left the Salesforce export, including names, email addresses, physical addresses, phone numbers, plan details, and customer support ticket history.
• Charter did not disclose the incident publicly until May 26, 2026, the day before ShinyHunters' May 27 ransom deadline, and only after the group listed the company on its leak site.
• Charter denies that "sensitive" personal information or Customer Proprietary Network Information was exfiltrated, while ShinyHunters publicly disputes that claim with screenshots.
• ShinyHunters has now hit Charter, 7-Eleven, ADT, Instructure, and Vimeo using the same playbook in under 60 days—every one of them through a Salesforce export reached via SSO credential theft.

How Did One Phone Call Lead to 40 Million Customer Records?

The breach started with a vishing call. According to BleepingComputer's reporting, ShinyHunters reached a Charter employee, impersonated either an IT help desk worker or a contractor with legitimate access needs, and walked the target through a sequence of prompts that ended with the attacker holding valid Microsoft Entra ID credentials. Entra ID is the identity layer Charter uses for single sign on across its corporate SaaS estate.

The Entra account was the keys to the kingdom. Once the attacker held it, the Salesforce instance Charter uses to manage customer accounts opened up without any further phishing required. A single, scripted Salesforce data export was enough to lift the bulk customer table out of the tenant and into ShinyHunters' staging infrastructure. The same export pipeline appears in every recent ShinyHunters incident; see eSecurity Planet's analysis of the alleged 42 million record figure.

What Was Inside the Stolen Charter Records?

ShinyHunters has been specific about the schema. The dumped records reportedly include:

• Full customer names
• Email addresses on file with Spectrum accounts
• Physical service addresses
• Phone numbers and phone type (mobile or landline)
• Spectrum plan information (internet tier, video package, voice service)
• Some Customer Proprietary Network Information (CPNI), which under FCC rules covers details like call records and service usage
• A separate table of customer support ticket history, including what customers wrote, what they complained about, and what Charter agents typed back

That last category is the one that should worry every Spectrum subscriber. Support tickets are an unfiltered record of every problem a customer has ever raised: stolen equipment reports, requests to update billing because of a divorce, conversations about medical leave deferrals, complaints that named other people. Once those texts are in a leak archive, they are searchable forever.

Charter's response, published the same day ShinyHunters added it to the leak site, said in part: "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity." ShinyHunters posted screenshots disputing that claim within hours.

Why Did ShinyHunters Wait Eight Weeks to Surface the Breach?

Because that is the ShinyHunters playbook. The group gets in, exfiltrates, then runs a private extortion window before going public. Charter was added to the data leak site only after, according to ShinyHunters' own post, the company refused to negotiate. The May 27, 2026 deadline ShinyHunters set lapsed the day after Charter's public disclosure.

The eight week gap matters for a different reason: under most US state breach notification laws, the clock starts when the company knows or should reasonably know that personal data was accessed. If Charter discovered the April 1 intrusion in early April but only notified the public on May 26, the time to notify question becomes a regulatory one. The FCC, which oversees CPNI specifically, has separately tightened breach reporting requirements for telecom carriers—Charter is one of the largest in the country, with roughly 32 million customer relationships across Spectrum Internet, TV, Mobile, and Voice.

Is This Part of a Bigger ShinyHunters Campaign?

Yes, and Charter is at least the fifth victim in the same wave. The Salesforce via SSO pattern is now the group's signature. Since March 2026, ShinyHunters has been linked to:

• 7-Eleven — 183,000 records stolen through the same Salesforce path.
• Instructure (Canvas) — student message data exfiltrated in May 2026 through the same SSO compromise pattern.
• Vimeo — 119,000 records dumped through the Anodot pipeline the group reuses.
• ADT — confirmed compromise via vished employee credentials.
• Cushman & Wakefield — 50GB of Salesforce data leaked when ransom negotiations failed.

The common thread is not the victim industry. It is the human voice on the phone, the Microsoft Entra account that gets handed over inside three minutes, and the Salesforce export that runs the moment the attacker authenticates. No malware. No exploit. No zero day.

How Should Spectrum Customers Protect Their Email and Inbox Right Now?

Three things change for a Spectrum customer whose email and name and address are now in a leak archive:

1. Phishing accuracy goes up. Scammers now have an authoritative pairing of your name, your physical address, your phone number, and the email you used with Spectrum. Expect "Spectrum billing" phishing emails that contain real details, including your service tier or your last support ticket reference, designed to make the fake login page indistinguishable from a real one.
2. SIM swap risk goes up. The breach includes phone number and phone type. SIM swap operators specifically buy lists like this because the phone number is paired with a verified physical address, which is everything needed to social engineer a carrier into transferring the line.
3. Account recovery questions are now untrustworthy. If a service ever asks you to "verify your address on file" or "confirm the phone number we have for you," assume an attacker can answer those questions for the next several years.

The single hardest variable to defend is the email address. Every Spectrum customer whose email is now in the dump should expect a higher volume of targeted phishing, hidden tracking pixels in marketing impersonations, and credential phishing aimed at email accounts of record. Gblock blocks the invisible tracking pixels embedded in marketing and phishing emails so attackers can't confirm your address is live, can't see when you open a lure, and can't tune their next message based on your behavior.

What Happens Next?

ShinyHunters' history suggests three near term outcomes. The Charter data will be leaked in waves, first a small "proof" set, then larger archives, across BreachForums and Telegram. Class action plaintiffs' firms have already begun investigation announcements, including Woods Lonergan PLLC. And the FCC will almost certainly open a CPNI proceeding, because telecom carriers face a separate regulatory regime when subscriber network information leaves the building, regardless of whether Charter's lawyers want to call it "sensitive."

For everyone else, the lesson is simpler: an MFA prompt that a human can be talked into approving is not MFA. ShinyHunters didn't crack any encryption. They just called.