"The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses," Have I Been Pwned said — an assessment that places nearly five million Charter Communications customer accounts at the center of a fresh extortion drama.
ShinyHunters says a vishing attack on April 1 led to a Salesforce haul
The cybercrime gang known as ShinyHunters claimed responsibility for breaching Charter Communications in early April, telling BleepingComputer that it had compromised an employee's Microsoft Entra account via a voice phishing (vishing) attack on April 1. According to the group, that access was used to extract data from the company's Salesforce instance — a haul the gang said contained 42 million records and included customer and business names, email addresses, physical addresses, phone numbers, phone types, plan information, support ticket data, and some customer proprietary network information (CPNI).
ShinyHunters followed its claim by publishing the stolen documents on its dark web leak site after the company allegedly refused to pay a ransom demand to have the data returned and destroyed.
Charter confirms an incident but denies sensitive data was taken
Charter Communications confirmed this week that it experienced a breach but told BleepingComputer that "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity." The company said it had alerted authorities and has not publicly attributed the attack. When asked by BleepingComputer about ShinyHunters' claims that additional CPNI data was stolen, Charter referred the outlet back to its original statement.
Charter is a large U.S. telecom operator: the company has over 92,000 employees and provides internet, mobile, video, and voice services under the Spectrum brand to more than 32 million customers and over 57 million homes in 41 states.
Have I Been Pwned analysis narrows the impact to 4.9 million accounts
Independent analysis by data breach notification service Have I Been Pwned (HIBP) examined the material published by the extortion gang and concluded the incident exposed 4.9 million unique accounts. HIBP said the published records contained names, email addresses, job titles, phone numbers, and physical addresses. It added that "a subset of approximately 85k records originating from an internal employee directory also included job titles."
HIBP's assessment narrows the scope of the publicly disclosed leak compared with ShinyHunters' claim of 42 million Salesforce records, but confirms a large set of customer-facing and internal directory information was published.
Leak, ransom dynamics, and the FBI's warning
BleepingComputer reported that after ShinyHunters' ransom demand was not met, the group leaked the data on its dark web site. The FBI has recently advised ShinyHunters' victims not to give in to ransom demands, noting that payment cannot guarantee that threat actors will not sell the stolen data to others or attempt to extort victims again. The bureau had previously warned along the same lines.
The interplay of extortion, public leaks, and official guidance illustrates how attackers and defenders are operating: threat actors press for payment and publish material when demands are refused; law enforcement cautions that paying may not stop additional criminal activity.
Salt Typhoon previously impacted Charter in a broader telecom campaign
Charter's systems were also compromised earlier in a wave of breaches attributed to a Chinese state-backed threat group tracked as Salt Typhoon, according to reporting included in the record. That campaign affected other major U.S. carriers — AT&T, Verizon, Consolidated Communications, Windstream, and Lumen — and telecom companies in dozens of other countries. The earlier incidents demonstrate that Charter has been a target of multiple, distinct adversaries in recent months.
What this means for technologists, end users, and regulators
- Technologists and security teams: expect renewed scrutiny of third-party cloud applications and identity controls — the claim centers on a compromised Microsoft Entra account and data exfiltrated from Salesforce. Security teams will likely revisit access controls, multi-factor authentication, and monitoring of cloud app data egress.
- End users and customers: 4.9 million accounts were identified by Have I Been Pwned as exposed, including names, emails, phone numbers, and physical addresses; a portion of roughly 85,000 internal records included job titles. Affected customers will want to watch for phishing and social-engineering attempts that can follow publication of this kind of contact data.
- Regulators and policymakers: questions about CPNI arose in public claims and in the company's denial. Regulators will be watching public statements and any evidence about whether customer proprietary network information was accessed or published, given the competing claims from the extortion gang and Charter.
The public record at this stage contains competing claims: a criminal group asserting a large Salesforce theft and a telecom company denying that sensitive PI or CPNI was exfiltrated, while an independent breach tracker authenticated the exposure of 4.9 million accounts. As investigators and the company continue their work, the key facts to follow are whether additional forensic detail emerges tying the published data to Charter systems, and whether law enforcement or regulators disclose findings that confirm or refute the differing accounts.




