Charter Communications — vishing-led Salesforce CRM breach, ShinyHunters extortion

ShinyHunters listed Charter Communications on its extortion portal in late May 2026, claiming the theft of more than 42 million customer records and setting a 27 May deadline for negotiations. Charter, the second-largest US cable operator and parent of the Spectrum brand, confirmed the intrusion to reporters on 25 May 2026.

According to the threat actor’s own narrative, the initial-access date was 1 April 2026. ShinyHunters say they phoned a Charter help-desk function, talked their way through identity verification, and pivoted the social-engineering call into a Microsoft Entra account compromise. From the Entra foothold the attackers reached Charter’s Salesforce environment and exported customer records in bulk. The listing claims the dataset contains names, email addresses, physical addresses, phone numbers, plan details, customer proprietary network information and support-ticket data.

Charter’s public position, conveyed via a spokesperson statement, is that “no sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor.” That language leaves the bulk of the ShinyHunters claim — names, addresses, phone numbers, plan and support data — neither confirmed nor denied. The company says it is coordinating with authorities and notifying affected individuals as required.

The Charter intrusion fits the same playbook now stretching across the Cushman & Wakefield, Pitney Bowes, Carnival, Medtronic, Vimeo/Anodot and Instructure/Canvas entries — voice phishing of a privileged employee, identity-provider compromise, lateral pivot into a Salesforce CRM, bulk record export, extortion portal listing on a tight deadline. The Salesloft/Drift OAuth-token theft of August 2025 remains the strategic enabler for many in the cluster; the Charter variant adds a direct identity-provider attack rather than a Drift-style supply-chain shortcut.

A deep-dive will follow once Charter’s regulatory filings (any Item 1.05 or Item 8.01 8-K, plus FCC and state attorney-general notifications) firm up the actual record taxonomy, the dataset is independently corroborated, and the access chain from compromised Entra identity to bulk Salesforce export is publicly documented. The early defender lens is the now-familiar one: identity-provider compromise plus a poorly segmented SaaS estate turns one phoned-in social-engineering call into a tens-of-millions-of-records breach in a single working day.