Skip to main content
Emerging ThreatsData Breaches

Charter Breach Exposes Millions of Customer Records

Rows of cubicles with employees working on computers surrounded by papers and office supplies near a large window.

“40 million records,” the extortion site claimed — a specific tally that propelled Charter Communications into public confirmation and a swift exchange of statements with security reporters.

Charter Communications’ public response

Charter Communications acknowledged the incident in a statement shared with BleepingComputer and said it is "alerting appropriate authorities" and following its security protocols. The company told the outlet: "We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities." Charter also asserted that "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity."

ShinyHunters’ listing and alleged haul

The extortion group ShinyHunters listed Charter on its data leak site and told BleepingComputer it had stolen "40 million records" containing customer data. According to the threat actor's account to BleepingComputer, the exported dataset included customer names, email addresses, addresses, phone numbers, phone type, plan information, and some CPNI data, and that customer support ticket data was also taken.

When BleepingComputer pressed Charter about the threat actor’s claim that additional customer data — including some CPNI — was taken, the company referred back to its original statement denying exfiltration of sensitive PI or CPNI.

How ShinyHunters says it got in: vishing and SSO compromise

ShinyHunters told BleepingComputer the group breached Charter on April 1 through a voice phishing (vishing) attack that compromised an employee's Microsoft Entra account. The threat actor said that access to that single SSO account was then used to export millions of customer records from Charter's Salesforce instance.

The group’s described approach is consistent with its broader pattern over the past year: conducting social engineering campaigns that target employees and business-process outsourcing (BPO) agents’ Microsoft Entra, Okta, and Google single-sign-on accounts, then using those credentials to pull data from connected cloud services.

Salesforce and connected SaaS as the prize

BleepingComputer’s reporting places Salesforce at the center of the alleged extraction from Charter. The extortion actors told the outlet they exported data from Charter’s Salesforce instance, and the outlet noted that Salesforce has been a frequent target for the group.

ShinyHunters has reportedly used multiple paths to reach Salesforce data: breaching integration companies to steal OAuth tokens that permit access to customer Salesforce environments, and compromising corporate SSO accounts that are connected to numerous SaaS applications. The group has also targeted services including Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox, according to BleepingComputer’s account of the group’s tactics.

What this means for technologists, regulators, and customers

  • Technologists and security teams: the incident — as described by the extortion group — underscores a recurring attack chain tied to social engineering of SSO credentials and downstream access to SaaS platforms such as Salesforce. Teams responsible for identity and access should be watching for vishing-linked compromises and unusual exports from connected applications.
  • Regulators and authorities: Charter said it is "in the process of alerting appropriate authorities." The contrasting public claims — ShinyHunters’ assertion of 40 million records and Charter’s statement that no sensitive PI or CPNI was exfiltrated — will be material to any inquiry or regulator review that follows.
  • Customers and business customers: the extortion listing and a threat actor’s description of data types claimed to have been taken — names, contact details, plan information and support ticket data — are the concrete consumer-facing elements of the dispute. Charter’s public denial of sensitive PI or CPNI exfiltration will be what customers and business clients watch most closely as investigations proceed.

The public record in this case rests on two competing statements: ShinyHunters’ posting and its account to BleepingComputer asserting a large export from Charter’s Salesforce instance, and Charter’s formal statement denying that sensitive personal information or CPNI were exfiltrated and confirming it has alerted authorities. Which version proves accurate will depend on forensic results and the authorities Charter says it is notifying; until those findings are released, the two accounts remain at odds in the public reporting.

Source: BleepingComputer — Charter confirms data breach after ShinyHunters extortion threat