Charter Communications, the company behind Spectrum internet, cable, and mobile service, confirmed a data breach this week and then watched the stolen data land on the open web. The extortion group ShinyHunters published at least 13 million customer records after Charter apparently refused to pay a ransom demand with a May 27 deadline.
ShinyHunters claimed to BleepingComputer that the breach occurred on April 1 through a voice phishing attack that compromised an employee's Microsoft Entra account. Voice phishing, also called vishing, means someone called a Charter employee and talked their way into the credentials rather than breaking through any technical barrier. Once inside, the attackers used that access to export millions of consumer and business customer records from Charter's Salesforce instance.
The stolen records, according to the threat actors, include customer names, email addresses, physical addresses, phone numbers, phone type, plan information, and some CPNI data. CPNI, or Customer Proprietary Network Information, is a federally protected category that covers your call records (who you called, when, and for how long) along with your service subscriptions and usage patterns. Federal law singles it out for protection because call logs can reveal details about your personal life that go well beyond basic contact information, including which doctors, lawyers, or financial professionals you're in contact with and how often.
Charter's public response has been to deny the most serious part of that claim. The company told BleepingComputer: "No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity." ShinyHunters says the opposite, and with the data now publicly posted, independent researchers are in a position to evaluate those competing claims.
According to the Cybernews research team, ShinyHunters did upload millions of records that appear to belong to Charter Communications, with most of the customer data appearing to come from Spectrum Enterprise, the division serving large businesses, corporations, and government agencies. The dataset exposed at least 13 million individuals, along with details from nearly 10 million customer support ticket records. The team also found records on nearly 27,000 Charter staff members, including work emails, job titles, and some home addresses.
Charter currently serves more than 32 million customers in the US, which means ShinyHunters' claim of 40 to 42 million records would exceed the company's entire customer base. The Cybernews team noted that the 42 million figure may not be accurate, as the dataset may contain numerous duplicates.
Since last year, ShinyHunters has conducted widespread social engineering campaigns targeting employees' Microsoft Entra, Okta, and Google SSO accounts, then pivoting into connected SaaS platforms such as Salesforce, Microsoft 365, Google Workspace, Slack, and Zendesk to extract data at scale. In 2026 alone, the extortion group has claimed breaches at Panera (more than 5 million customers), Instructure's Canvas platform (used by more than 30 million students and teachers), identity protection company Aura (nearly 1 million customers), and ADT (5.5 million customers).
Charter has not yet said whether it will send breach notification letters to affected customers. Based on the Cybernews team's analysis, the leaked records include full names, email addresses, home and company addresses, and support ticket details, with no passwords or payment information described in the dataset. The law firm Chimicles Schwartz Kriner, which is investigating potential class action claims against Charter, notes that the exposure of this type of information places affected individuals at significantly increased risk of targeted phishing, spearphishing, and account takeover attempts.
What to do if you're a Spectrum customer
Change your Spectrum account password and turn on two-factor authentication if you haven't already. Be skeptical of any call or email claiming to be from Charter or Spectrum, especially anything asking you to confirm account details or click a link. If a call seems off, hang up and dial Spectrum's official support number directly.
You can check whether your email address appears in the Charter breach at haveibeenpwned.com. The site now includes 4.9M email addresses linked to the Charter breach. If your email has been exposed, update passwords on any accounts tied to that address and turn on two-factor authentication. (Read our guide to getting 2FA set up).
Placing a credit freeze at all three bureaus, Equifax, Experian, and TransUnion, is also worth doing. It's free, reversible, and blocks anyone from opening new credit accounts in your name using your contact information.
Read next: How to freeze your credit to stop identity theft
[Image credit:vCharter Communications]
