Charter Confirms Breach as ShinyHunters Claims 42 Million Records via Salesforce Vishing

The Charter breach is not a new attack technique. It is the same vishing-to-Microsoft-Entra-to-Salesforce sequence the 2026 ShinyHunters cluster has used to hit ADT, Amtrak, Odido, Vimeo, Carnival, and others — and the most important thing about it is that the playbook keeps working against the largest US enterprises because the weakness lives at the human and identity layer.

STAMFORD, CONNECTICUT — On May 26-27, 2026, Charter Communications — the largest US cable broadband provider, operating as Spectrum — confirmed a cybersecurity incident after the extortion group ShinyHunters listed Charter on its leak site and demanded the company open ransom negotiations by May 27 or the stolen data would be published. ShinyHunters claims it holds more than 42 million Charter customer records; Charter, in a statement issued to BleepingComputer and CyberInsider, says it is investigating, has alerted the appropriate authorities, and that no sensitive personal information (PI) or customer proprietary network information (CPNI) was exfiltrated by the threat actor.

The intrusion mechanics, as described by ShinyHunters and reported across BleepingComputer, eSecurity Planet, TechRadar, and CyberInsider, match the playbook the group has used across the entire 2026 cluster: a voice-phishing (vishing) attack on April 1, 2026 compromised an employee's Microsoft Entra account, and the attacker used that access to reach Charter's Salesforce instance and export customer data. ShinyHunters' headline figure of 42 million records is the group's own claim from the leak-site listing; TechRadar's reporting frames the same dataset as approximately 40 million records, and neither figure has been independently corroborated.

What Happened

Charter Communications confirmed the incident on May 26-27, 2026, after ShinyHunters added the company to its public leak site and warned that stolen data would be published if Charter did not open ransom negotiations by May 27. In statements provided to BleepingComputer and CyberInsider, a Charter spokesperson said the company is 'aware of the situation, following our security protocols, and in the process of alerting appropriate authorities,' and that 'no sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor.' Charter has not publicly confirmed the scale of the alleged theft, the number of customers affected, or whether notifications will be sent to impacted individuals — the company has so far referred back only to its initial statement denying the exposure of sensitive data.

The attacker's account of how the intrusion happened — repeated across BleepingComputer, eSecurity Planet, TechRadar, and CyberInsider — is consistent and operationally specific. ShinyHunters says a voice-phishing (vishing) attack on April 1, 2026 compromised the Microsoft Entra account of a Charter employee. Microsoft Entra is Microsoft's identity platform — the directory and single-sign-on layer that mediates an employee's access to the wider set of SaaS applications a modern enterprise runs on. With the Entra session in hand, the attacker pivoted into Charter's Salesforce instance and exported customer records in volume. ShinyHunters' leak-site listing claims more than 42 million records containing personally identifiable information; TechRadar reports the same dataset as approximately 40 million. The data the group says it took includes customer names, email addresses, postal addresses, phone numbers, phone type, plan details, customer-support ticket information, and some CPNI fields. None of the volume figures, and none of the data-type claims beyond what Charter has acknowledged, have been independently corroborated.

The Same Vishing-to-Entra-to-Salesforce Sequence, Again

The single most important thing about the Charter incident is not what is novel in it but what is not. The intrusion sequence — a phone call that harvests an employee credential, a compromised Microsoft Entra session, and a Salesforce data export — is the same sequence reporting has documented across the entire 2026 ShinyHunters campaign. The pattern was visible when ShinyHunters confirmed the breach of America's largest home-security company ADT through an Okta SSO and Salesforce pivot in April, visible when the group's claim of 9.4 million Amtrak records was corroborated by 2.1 million accounts on Have I Been Pwned, and visible when Dutch mobile operator Odido refused to compensate 6.2 million breach victims after the same CRM-pivot pattern played out against its Salesforce instance. It is the same playbook visible in the Vimeo-via-Anodot breach and in the earlier Zara / Carnival / 7-Eleven 'pay or leak' ultimatum — and most recently in Brief #1 today, ShinyHunters' extortion claim against Carnival for 6 million records. Charter is the latest brand-recognition US enterprise added to the list. The campaign has not been disrupted, and the technique has not been mitigated.

Microsoft Entra Is the Pivot Point — and the Defender Problem

Microsoft Entra (the platform formerly known as Azure Active Directory) sits at the center of every Charter-style incident in this cluster because it is the layer the rest of an enterprise's SaaS stack delegates trust to. An attacker who controls an Entra account does not need to compromise Salesforce, Microsoft 365, Slack, Zendesk, or Dropbox individually — federation does that work for them. The Charter intrusion is therefore not really a Salesforce incident, even though Salesforce is where the data was held; it is an identity incident in which Salesforce was the largest data store the compromised identity could reach. That distinction matters for defenders because it determines where the controls have to live. Stronger controls on the Salesforce side — DLP on bulk exports, anomaly alerting on API-export volume, rate-limited customer-record retrieval — are still useful and still necessary. But they sit downstream of the compromise. The upstream control is on the Entra side, and it is two specific things: phishing-resistant MFA (FIDO2 hardware keys or platform passkeys, which a vishing call cannot harvest the way it can harvest a password and an SMS or push-prompt code) on every employee account that touches customer data, and an out-of-band, identity-verified help-desk reset process that does not allow a phone call alone to grant credential changes.

CPNI Is the Word That Matters

Charter's denial is unusually specific in one respect: the company says no customer proprietary network information (CPNI) was exfiltrated. CPNI is not a generic phrase. It is a regulated category under US Federal Communications Commission rules — the subset of telecom customer data that includes the services a subscriber uses, calling and usage patterns, and other carrier-specific information that the FCC considers sensitive enough to require carriers to protect it under FCC Section 222 and its implementing rules. ShinyHunters' counter-claim — that the dataset includes 'some CPNI fields' — is directly responsive to Charter's denial; it is also, importantly, a deliberate provocation aimed at a regulator. If CPNI exfiltration is later confirmed by an independent party — through the dataset itself becoming public, through a customer-notification disclosure required under state breach-notification statutes, or through a regulatory finding — the Charter story shifts from a generic data breach into a US telecom-regulatory matter. As of publication, the two positions stand directly opposed: Charter's denial, and the threat actor's claim. Neither has been independently verified.

Scope and Impact

The volume claim is the part of this story that has to be hedged most carefully. ShinyHunters' leak-site listing claims more than 42 million records; eSecurity Planet and CyberInsider have used that figure in their headlines; TechRadar's reporting frames the same dataset as approximately 40 million records. The gap between those numbers does not necessarily indicate a contradiction — it is consistent with the figure being rounded down by one outlet and presented as the threat actor stated it by others — but it is a useful reminder that no part of the volume number has been corroborated against the underlying data. ShinyHunters has, in past cluster incidents, posted figures that were later verified against partial datasets on Have I Been Pwned (the Amtrak case, where 2.1 million of a claimed 9.4 million records were independently confirmed) and has also posted figures that have not been independently verified at all. Until the dataset, or a portion of it, is independently examined, the responsible framing of the 42 million figure is exactly what Charter has implicitly framed it as: the threat actor's claim. Charter's denial of PI and CPNI exfiltration is the company's claim. The reader should hold both positions in view.

What is structurally not in question is the scale of Charter's customer base and therefore the scope of any plausible exposure. Charter operates Spectrum services — cable broadband, mobile, video, and voice — across more than 40 US states, with tens of millions of residential and business customers. TechRadar reports the active US subscriber base at more than 32 million. Even a fraction of that base, if accurately represented in any portion of the ShinyHunters dataset, would constitute a breach in the same order of magnitude as the largest US telecom incidents of the last several years. The defender-relevant scope question is not only how many records were taken, but which customers were represented in the Salesforce instance the attacker reached — current customers, former customers, prospects, business accounts, or all of the above. That breakdown has not been publicly disclosed.

The other scope question is sectoral. The 2026 ShinyHunters cluster has now affected retail, education, healthcare, media, telecom, transit, and government — Charter joins ADT (security services), Amtrak (transit), Odido (telecom), Vimeo (media), Carnival (travel), 7-Eleven (retail), Instructure / Canvas (education), Cushman & Wakefield (real estate), and others. The Zara / Carnival / 7-Eleven 'pay or leak' ultimatum coverage was the first time we framed the campaign as sector-agnostic. Six weeks later, the framing is no longer optional. The Charter incident is evidence that the campaign is not a vertical play; it is an identity-and-CRM-layer play, and the vertical of the victim is incidental.

Response and Attribution

For Charter-equivalent CISOs — that is, Microsoft 365 and Microsoft Entra-environment leaders with Salesforce-scale customer data stores — the immediate work is two-tracked. On the identity track, audit help-desk impersonation defenses: assume a vishing call into a help desk is, given this cluster, more likely than not in the next twelve months, and enforce out-of-band, identity-verified resets before any credential change. Move every employee account with access to customer-data systems onto phishing-resistant MFA — FIDO2 hardware keys or platform passkeys — and remove SMS, push, and one-time-passcode flows from the MFA options for those accounts. On the Salesforce track, restrict bulk-export volume by user and role, enforce DLP alerting on large customer-record exports, audit Salesforce REST API activity from Entra-federated sessions, and treat any anomalous high-volume export as a Salesforce-tier incident by default — not as a CRM administrative event. For SOC and IR teams, the cluster pattern now justifies treating a Microsoft Entra compromise notification from Microsoft 365 telemetry as a Salesforce-tier incident from minute zero rather than triaging it as a generic identity event.

On attribution, the position is unambiguous. ShinyHunters has claimed responsibility for the Charter intrusion on its leak site; reporting by BleepingComputer, eSecurity Planet, TechRadar, and CyberInsider has carried that claim and described the consistent vishing-to-Entra-to-Salesforce sequence. The intrusion mechanics are, on the public record, ShinyHunters' published methodology across the 2026 cluster. Charter has not contradicted the attribution and has not described the intrusion path itself in its public statement. The 42 million record figure is ShinyHunters' own; it should be cited as such until and unless it is independently verified. Charter's denial of PI and CPNI exfiltration is the company's official position; it should be cited as such until and unless an independent examination of the dataset shows otherwise. Holding both positions clearly is the responsible framing, and it is the framing the cluster as a whole now demands of cybersecurity reporting.

The CyberSignal Analysis

Signal 01 — The Story Is Playbook Persistence, Not Attack Novelty

Most coverage of the Charter incident will lead on the 42 million record figure, and the figure is the number that drives the headline. But the more important fact about Charter is that nothing about the intrusion is new. The vishing call, the Microsoft Entra compromise, the Salesforce export, the leak-site ultimatum — every element has been documented across the 2026 ShinyHunters cluster, in the same sequence, against tier-one US and European enterprises in retail, telecom, healthcare, media, education, transit, and security. The defender-utility question is no longer what does this attack look like. It is why is this attack still working. The answer is that the weakness it exploits lives at the human and identity layer, not in any single product an enterprise can patch, and the controls that close it — phishing-resistant MFA on every customer-data account, out-of-band identity verification at the help desk, DLP and rate limits on Salesforce bulk exports — require organizational and procedural change, not a software update. Until those controls are deployed broadly across the Fortune 500 and equivalents, the playbook will keep producing Charter-shaped headlines.

Signal 02 — Microsoft Entra Is Now a Tier-Zero Target

The cluster pattern has resolved a question that was open at the start of 2026: where, in the modern SaaS-federated enterprise, does an attacker have to land to reach a customer-data store at scale? The answer the cluster gives is the identity provider — Microsoft Entra in Charter's case, Okta in ADT's, the same federated identity layer in every other documented incident. That makes Microsoft Entra (and the equivalent identity surfaces in any organization) a tier-zero asset that should be defended at the same posture as a domain controller in an on-premises Active Directory environment. It is not a SaaS administrative system. It is the path that turns one phished credential into every connected SaaS application — including the one with the largest customer-record table in the company. CISOs whose Entra security posture is treated as part of generic SaaS-management hygiene are looking at the wrong layer.

Signal 03 — Salesforce Has a Vendor-Level Question to Answer

The phrase 'Salesforce vishing campaign' has now appeared in cybersecurity reporting often enough across 2026 that the responsibility question is no longer fully a customer-side question. The cluster does not implicate a vulnerability in the Salesforce platform itself — every incident, including Charter's, has flowed through a legitimate authenticated session that the platform had no reason to reject. But the question that has become impossible to avoid is whether a 42-million-record API export from a single authenticated session, in a single window, should trigger a platform-level alert by default — not just a customer-side alert in whatever DLP product the customer has configured. The Charter incident is the latest large-scale data export through Salesforce in a year that has already produced several. Salesforce, as a platform, has the visibility to detect this pattern from above the customer; the cluster pattern is now well-documented enough that platform-level rate-limit alerts on bulk customer-record exports are a question its enterprise customers have standing to ask. The pricing of platform-level monitoring against the pricing of fifteen separate customer-side breach disclosures is a calculation Salesforce can run.

Sources