Charter Communications, the US telecommunications giant behind the Spectrum brand, has confirmed a data breach after ShinyHunters listed the company on its leak site and threatened to publicly release stolen customer data unless a ransom is paid.

The company serves more than 32 million customers across 40 US states, making this one of the largest alleged telecom breaches of 2026.
What Happened in the Charter Communications Data Breach
ShinyHunters added Charter to its data leak site and claimed to have stolen between 40 and 42 million records containing personally identifiable information belonging to both residential and business customers. The group set a deadline of May 27, 2026, warning that it would publish the data if Charter did not open ransom negotiations before that date.

Charter acknowledged the incident in a statement shared with multiple media outlets:
“We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities. No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity.”
The company has not confirmed how many customers may be affected or whether breach notification letters will go out to impacted individuals.
How ShinyHunters Breached Charter
According to the attackers, the breach took place on April 1, 2026, through a voice phishing attack that compromised a Charter employee’s Microsoft Entra account. Voice phishing, also called vishing, involves calling targets over the phone and impersonating IT staff or customer support to trick employees into handing over credentials or account access.
Once inside, the threat actors used that compromised account to export millions of customer records from Charter’s Salesforce instance. This method mirrors a pattern the group has used across dozens of enterprise targets since 2025. After gaining access to a corporate single sign-on account, attackers pivot into connected SaaS platforms including Salesforce, Microsoft 365, Google Workspace, Slack, Zendesk, Dropbox, and others.
Salesforce has been a recurring target in this campaign. ShinyHunters has reportedly breached multiple Salesforce integration companies to steal OAuth tokens, which give persistent access to customer Salesforce instances without triggering standard login alerts.
What Data Was Stolen According to ShinyHunters
ShinyHunters claims the exported records include:
- Customer names
- Email addresses
- Physical addresses
- Phone numbers
- Phone type
- Plan information
- Some CPNI data
- Customer support ticket data
Charter disputes that any sensitive personal information or CPNI data was taken. The company has not independently confirmed or denied the scope of the breach beyond its original statement, and the exact contents of the alleged dataset have not been independently verified.
ShinyHunters’ Growing Breach Campaign in 2026
The Charter incident is part of a broader pattern in cybersecurity this year. In 2026 alone, ShinyHunters has claimed breaches at Panera (more than 5 million customers), identity protection company Aura (nearly 1 million customers), ADT (5.5 million customers), and education technology firm Instructure. Instructure reportedly reached an agreement with the group, widely interpreted as a ransom payment to prevent a public data release.
The 7-Eleven data breach in April 2026 was also attributed to ShinyHunters, with the personal data of 185,000 people stolen. That incident followed the same playbook: social engineering to gain SSO access, followed by bulk exports from connected SaaS platforms.
The Verizon 2026 Data Breach Investigations Report found that for the first time in 19 years, exploiting software vulnerabilities overtook stolen credentials as the top breach entry point across industries. ShinyHunters’ continued success with vishing and SSO compromise shows that social engineering remains an equally dangerous threat vector running alongside technical exploits.
What Charter Spectrum Customers Should Do Now
Charter has not yet said whether it will send breach notification letters. While the full scope of the stolen data remains disputed between Charter and the threat actors, taking precautions now is advisable.
- Monitor your accounts: Watch for unexpected login alerts on your email, phone account, or any service tied to the email address on file with Charter or Spectrum.
- Watch for targeted phishing: If ShinyHunters publishes the data, attackers can use stolen names, email addresses, and phone numbers to craft convincing phishing campaigns. Treat any unsolicited message claiming to be from Spectrum or Charter with skepticism before clicking any links.
- Enable multi-factor authentication: Add MFA to your email account and any account that shares credentials with your Charter or Spectrum login. This is one of the most effective defenses against account takeover attacks.
- Consider identity monitoring: If Charter confirms a broader breach, an identity theft protection service can alert you to misuse of your personal data before damage compounds.
ShinyHunters is known for calling victim companies while impersonating IT or customer support staff to gain internal access. Customers can face the same approach. Be cautious of any unsolicited call or message asking you to verify account details or grant remote access to your device.
