Charter Communications Breach: ShinyHunters Claims 42M Records

Charter Communications, the telecommunications giant operating under the Spectrum brand, confirmed a cybersecurity incident after the ShinyHunters extortion group claimed to have stolen 42 million customer records and set a May 27 deadline for negotiations.

The threat actor added Charter to its leak site on May 23, warning that the stolen data would be published if the company ignores extortion demands. Charter acknowledges the incident but disputes the severity, stating that "no sensitive personal information or customer proprietary network information was exfiltrated."

What We Know

ShinyHunters claims to have obtained over 42 million records containing personally identifiable information. The exact nature of the allegedly stolen data hasn't been independently verified, and Charter's public statements suggest the breach may be less severe than the attackers claim.

A Charter spokesperson confirmed the company is investigating and collaborating with authorities but declined to comment on customer notification plans or the number of affected individuals.

The attack appears connected to a broader ShinyHunters campaign targeting Salesforce environments and enterprise cloud infrastructure. Organizations whose environments contained exposed credentials, authentication tokens, or improperly secured integrations have been particularly vulnerable to this wave of intrusions.

ShinyHunters' 2026 Campaign

This breach is the latest in an aggressive year for ShinyHunters. The group has claimed responsibility for multiple high-profile intrusions in 2026:

• Instructure Canvas - 275 million student and teacher records
• Vercel - OAuth tokens compromised
• ADT - 5.5 million records via vishing and Okta abuse
• Telus Digital - 1 petabyte of data

The group has demonstrated a consistent methodology: target cloud infrastructure (especially Salesforce, Snowflake, and Okta integrations), exfiltrate data, then demand payment under threat of public disclosure. Their May 27 deadline gives Charter roughly four days to respond—a typical pressure window for extortion operations.

Charter's Response

Charter's assertion that no sensitive PI or CPNI data was stolen may prove accurate, but organizations often underestimate breach scope in initial statements. The company hasn't disclosed what data was accessed, only what wasn't.

Customer proprietary network information (CPNI) includes details about telecommunications services—call records, usage patterns, and service configurations. If ShinyHunters truly didn't access this data, the breach may be limited to less sensitive account information. But 42 million records of any kind represents significant exposure.

The Salesforce Connection

Multiple ShinyHunters victims this year share a common thread: Salesforce integration vulnerabilities. The group has exploited misconfigured Salesforce environments, stolen authentication tokens, and leveraged improperly secured API connections to extract data at scale.

Organizations using Salesforce—particularly those integrating it with customer databases—should audit their configurations. Common issues include overly permissive API access, reused authentication tokens, and insufficient monitoring of data exports. For more on securing against breaches, see our guide on what is a data breach.

What Happens Next

Charter faces a choice familiar to breach victims: engage with extortionists or wait for potential data publication. The company's muted response—neither confirming negotiations nor explicitly refusing—suggests internal deliberations are ongoing.

If ShinyHunters follows its established pattern, the May 27 deadline is somewhat flexible. The group typically extends deadlines while pursuing negotiations, using incremental data releases to pressure victims. The Canvas breach saw multiple deadline extensions before Instructure reportedly reached an agreement.

For Charter customers, the immediate risk depends on what data ShinyHunters actually obtained. Even "non-sensitive" account information can enable social engineering attacks, SIM swapping, or identity theft when combined with other leaked datasets.

Recommended Actions for Customers

1. Enable account alerts for any changes to your Spectrum/Charter account
2. Use unique passwords for your telecom accounts
3. Enable two-factor authentication where available
4. Be wary of unsolicited calls claiming to be from Charter support
5. Monitor credit reports if personal information was exposed

Telecommunications providers remain high-value targets because they hold extensive customer data and provide services that attackers can abuse—particularly through SIM swapping attacks that bypass SMS-based two-factor authentication.

We'll update this story as Charter provides additional details or the May 27 deadline passes.