On April 1, 2026, someone called a Charter Communications employee, claimed to be from IT support, and convinced them to hand over their Microsoft Entra credentials. That phone call, lasting maybe a few minutes, is the entire story of how attackers walked away with 42 million records, according to the threat actors who later took credit for the breach.
There was no malware. No zero-day exploit. No sophisticated state-sponsored intrusion campaign. A single Charter employee, doing what felt like a normal IT support interaction, gave the keys away. From there, the attackers logged into the company's Salesforce environment and started exporting customer data. By the time anyone at Charter noticed, the damage was done.
This is the new shape of the enterprise breach in 2026. The attackers do not need to break technical defenses anymore. They just talk their way past the humans who hold the keys. Charter is one of the largest cable and broadband providers in the United States, operating under the Spectrum brand with more than 32 million customers across 40 states. If a company that large can be taken down by a phone call, the implications for everyone else are uncomfortable.
Here is exactly what happened, why vishing (voice phishing) has become the most reliable attack vector against major enterprises, and what every company and individual should take away from it.
Charter Communications, Inc.
What happened: the timeline
The breach itself was quick. The fallout has been slower.
April 1, 2026. A Charter employee receives a voice phishing call. The caller impersonates internal IT support and walks the employee through a "security verification" or similar pretext, capturing the employee's Microsoft Entra (formerly Azure AD) login credentials in the process. With those credentials, the attacker logs into Charter's federated single sign-on environment.
April 1-2, 2026. The attacker pivots from the compromised Entra account into Charter's Salesforce CRM environment, which is connected via SSO. Customer records are exported in bulk. Based on what later got dumped, this included names, email addresses, physical addresses, phone numbers, account plan details, support ticket histories, and approximately 27,000 internal employee records with job titles.
May 23, 2026. ShinyHunters, the cybercrime group claiming responsibility, adds Charter to thier dark web leak site with a ransom demand and a deadline. The listing claims "over 42 million records containing PII have been compromised."
May 27, 2026. Deadline day. Charter confirms a cybersecurity incident in a statement to multiple outlets but disputes the scope, saying "no sensitive personal information or customer proprietary network information was exfiltrated." ShinyHunters disagrees.
May 29, 2026. ShinyHunters publishes the data on the dark web. Independent analysis by Have I Been Pwned and Cybernews researchers confirms approximately 4.9 million unique individuals in the verifiable consumer dataset, plus the 27,000 employee records, plus a larger but heavily duplicated set of records that may push the total exposed individuals past 13 million depending on how duplicates are counted.
So the 42 million number is contested. The breach itself is not. Whatever the final count, millions of Charter customers had their personal information published online, and the attackers got it through a phone call.
The attack vector: just a phone call (vishing explained)
Voice phishing, almost always shortened to vishing, is exactly what it sounds like: phishing over a phone call instead of email. It has been around for years, but the technique has evolved into something the cybersecurity industry now treats as one of the most reliable ways to breach a major company.
Here is what a modern vishing call looks like in practice.
The attacker calls during business hours, from a spoofed number that looks like an internal company extension or a known IT support line. The number spoofing is trivial in 2026, even for low-skill attackers. The caller has often researched the target on LinkedIn (real name, real job title, real manager's name, real recent corporate news), giving them enough context to sound authentic.
The pretext is almost always the same: "your account has been flagged for unusual activity," or "we need to verify your access before the new security policy takes effect," or "your VPN session is expiring and we need to renew your authentication." Each of these creates urgency without raising obvious alarms. The employee, trusting the caller's apparent legitimacy, follows the verbal instructions.
The critical moment is when the attacker walks the employee through one of these flows:
- MFA push approval. The attacker, who already has the employee's password (from a prior breach, infostealer, or earlier social engineering), triggers an MFA prompt on the employee's phone and asks them to "approve the verification request you just received." The employee, expecting a verification as part of this support call, taps approve.
- One-time code disclosure. The attacker asks the employee to read out the code they just received via SMS or authenticator app. The employee complies, "to verify their identity."
- Session token theft via fake login page. The attacker directs the employee to a seperate domain that looks like a legitimate company login URL but routes through an attacker-controlled proxy. The employee enters credentials and approves MFA. The attacker captures the authenticated session cookie in real time.
Any of those three paths gives the attacker an active, MFA-approved session inside the company's identity system. From there, every SaaS application connected via SSO is exposed.
Charter's specific compromise was through a Microsoft Entra account. Microsoft Entra is the cloud identity service that controls who can access what across the company's cloud applications. Once the attacker had that one account, they had a key to everything Entra federated to, which in Charter's case included Salesforce.
What ShinyHunters actually took
This is where Charter's public statement and ShinyHunters' claims diverge sharply.
ShinyHunters claims to have stolen 42 million records including customer names, email addresses, physical addresses, phone numbers, phone types, plan details, customer support ticket information, and some Customer Proprietary Network Information (CPNI). CPNI is regulated data covering things like call history and detailed service usage, which carries higher legal weight than ordinary PII under US telecom regulations.
Charter publicly states that "no sensitive personal information or customer proprietary network information was exfiltrated by the threat actor." The company has framed the incident more narrowly, suggesting that what was taken does not meet the threshold for the most serious notification obligations.
Independent analysis sits between the two claims. After the data was published, Have I Been Pwned imported approximately 4.9 million unique customer records into its breach database. Cybernews researchers analyzed the published files and noted heavy duplication, suggesting ShinyHunters padded the count by including the same individuals multiple times across different data sources. Independent counts based on de-duplication land somewhere between 5 and 13 million affected individuals, plus the 27,000 employee records.
For an affected customer, the distinction between 5 million and 42 million does not really matter. If your data is in the dump, you are exposed. What does matter is the type of data, and on that point both Charter and ShinyHunters cannot both be right. Either CPNI was taken or it was not. We may not know the truth until either regulatory disclosures force more detail or further dumps appear.
The Salesforce angle: why one compromised account equals millions of records
There is a structural reason why a single phone call can produce tens of millions of leaked records, and it is worth understanding because it applies to almost every major enterprise.
When a large company adopts Salesforce (or any modern CRM), the entire customer database lives in that one platform. Customer service representatives have access to customer records. Sales representatives have access to a slightly different slice. Marketing has access to email lists and engagement data. Engineering has access to support tickets. Compliance teams have access to retention records.
To make those role-based permissions work without driving everyone insane, modern companies federate Salesforce authentication to their central identity provider (Microsoft Entra, Okta, Google Workspace). One login, one MFA challenge, and you are inside Salesforce as your assigned role.
The problem is that the granularity of the access often does not match the granularity of the breach impact. A help desk technician's account, compromised, gives the attacker access to any record the technician could query, which in many companies is the entire customer base because the technician needs to be able to look up any customer who calls in. A sales operations account might have export rights to the entire pipeline. A marketing automation account might have export rights to the entire email list.
Once the attacker is logged in as a legitimate employee, Salesforce sees no anomaly. The attacker queries records, exports them, and walks out. From Salesforce's perspective, an authorized user has succesfully done authorized things. There is no malware to detect, no network anomaly to flag, no behavioral signal that looks obviously wrong.
This is the same pattern that hit Snowflake customers in 2024 (250+ companies breached through compromised credentials and unenforced MFA), and it is the pattern ShinyHunters has been running against Salesforce environments throughout 2025 and 2026. The CRM concentrates the data, the SSO concentrates the access, and a single compromised employee account collapses both concentrations into a single point of failure.
ShinyHunters: the crew that hit 1,000+ companies the same way
The Charter breach is not an isolated incident. It is part of a sustained campaign.
ShinyHunters is one of the most prolific cybercrime extortion groups operating in 2026. Their public claim is that they have breached more than 1,000 organizations and stolen more than 1.5 billion records, much of it through the same playbook: vishing an employee, taking over a federated identity account, and exporting from connected SaaS applications.
The list of confirmed or alleged ShinyHunters victims over the past 12 months is brutal:
- AT&T (Snowflake-related credential theft, 110 million customers, 2024 wave)
- Ticketmaster (560 million records, 2024)
- Santander Bank (30 million customer records, 2024)
- Pure Storage (Snowflake-connected, 2024)
- Various retail and hospitality giants through 2025
- Multiple educational platforms including the Instructure/Canvas hack of May 2026
- Charter Communications (this incident)
- Carnival Cruises, McGraw Hill, Medtronic, 7-Eleven, Odido (all in the 2026 wave)
The group operates as a rebrand of the original ShinyHunters collective, with some operational overlap with the Scattered Spider and Lapsus$ ecosystems. Many of the operators are reportedly young, English-speaking, and skilled at social engineering rather than at writing malware. That demographic shift matters. The barrier to entry for this kind of attack is no longer "be a sophisticated coder." It is "be good at lying on the phone."
Why traditional security failed completely
Charter is not a small company. They have a security team. They have firewalls. They have endpoint detection. They have, presumably, all the standard enterprise security controls. None of it stopped this attack, because none of it was designed for what actually happened.
A traditional security stack is built around these assumptions:
| Assumption | What actually happened |
|---|---|
| Attackers will use malware | No malware. Just a phone call. |
| Network monitoring will catch unusual traffic | Traffic looked normal. It was a legitimate logged-in session. |
| MFA prevents unauthorized access | MFA was approved by the actual employee, who was tricked into approving. |
| Endpoint protection catches threats on devices | No threat ran on any device. |
| Suspicious login locations get flagged | The attacker probably used a residential proxy in a plausible geography. |
| Data loss prevention catches large exports | DLP rules often allow customer service tools to export, since that is normal work. |
| Behavioral analytics catch anomalies | The session looked behaviorally consistent with a typical employee workflow. |
Every layer of defense in a typical enterprise stack assumed something about the attacker that turned out to be false. The attacker was not on a malicious device, not on a suspicious network, not running suspicious code, not exfiltrating data in suspicious patterns. They were a logged-in employee, from the company's perspective, until they had what they wanted and disappeared.
This is what people mean when they say identity is the new perimeter. The network perimeter, the device perimeter, the application perimeter all proved permeable. The only thing that mattered was who had the active identity token, and that decision came down to whether one employee believed a phone call.
What Charter customers should do right now
If you are a Charter or Spectrum customer (or were one in the past several years), assume your data is in the dump. Even if the breach turns out to be 5 million records rather than 42 million, those records have your information in them with high probability.
The standard response to a major data breach applies, but with some specifics for this incident:
Freeze your credit at all three bureaus. Equifax, Experian, and TransUnion all offer free credit freezes online. A frozen credit file means a new account cannot be opened in your name without you actively unfreezing it. This is the single most important thing you can do, and most people skip it because it sounds like work. It takes about 15 minutes total across all three.
Watch for vishing attacks against you. The leaked data includes phone numbers and names, which is exactly what scammers need to call you pretending to be from Charter, your bank, the IRS, or anyone else. Treat unsolicited calls about your accounts with extreme skepticism, especially calls that create urgency or ask you to verify information. Hang up and call back using a number you find independently, not the one provided by the caller.
Watch your phone bill for unexpected charges. SIM swap attacks (where attackers transfer your phone number to a SIM they control to intercept SMS-based MFA codes) often start by an attacker calling your carrier with information from a breach. If you see strange activity on your phone account or your phone suddenly stops receiving service, contact your carrier immediately.
Change passwords on any account where you reused your Charter password. Password reuse is how credential leaks become account takeovers across other services. If you used the same password for your Charter account as for your email or banking, change those right now.
Be skeptical of "Charter notification" emails. Attackers will absolutely send phishing emails purporting to be from Charter about the breach, asking you to "click here to verify your account is safe." These will start arriving within weeks if they have not already. Do not click. Go directly to spectrum.com if you need to check anything.
How companies should defend against vishing-to-cloud attacks
For everyone reading this who runs IT or security for a company, the Charter incident is a case study in what the new threat model looks like. Five practical defenses meaningfully reduce the risk.
Phishing-resistant MFA. SMS codes and push notifications can be defeated by social engineering, as Charter just demonstrated. Hardware-backed MFA (FIDO2 security keys like YubiKeys, or platform-bound passkeys) cannot be approved by a verbal request. The user has to physically touch a key or use biometrics on their own device. Phishing-resistant MFA is the single biggest defensive upgrade most companies can make in 2026. It costs around $50 per employee for hardware keys. The Charter incident would not have happened with phishing-resistant MFA enabled.
Conditional access policies tied to network context. Even if credentials get phished, additional verification can be required when a session originates from an unexpected ASN, country, or connection type. Tools that perform automated reputation checks on every authentication attempt, including verification against known abuse lists through services like a blacklist checker, can flag sessions that look suspicious before they reach sensitive applications. This is not a complete defense but it raises the bar.
Employee training that focuses on the actual attack pattern. Most security awareness training is still focused on "do not click suspicious links in emails," which solves a problem that vishing routes around entirely. Modern training has to specifically cover voice calls: never approve MFA pushes you did not initiate, never read out codes to anyone, never disclose passwords over the phone, always call back through a known internal number. These habits feel paranoid until the day they save you 42 million records.
Domain authentication audits. Many vishing attacks succeed partly because the attacker can spoof a credible callback or send a follow-up email that looks legitimate. Solid SPF, DKIM, and DMARC configuration makes external email spoofing of your company harder, removing one common follow-up vector. Running a periodic email security check on your own domain confirms whether attackers can easily impersonate your company in email.
Continuous external attack surface monitoring. Many companies are unaware of which services and applications are publicly exposed in their name. A website security scanner run periodically against your own properties identifies misconfigurations, exposed admin panels, and weak headers that attackers exploit for the follow-on stages of a vishing attack. The Charter incident shows that the initial breach is often the easy part. Containing the lateral movement is where the real defensive work happens.
The bigger picture: identity is the new perimeter
Charter is not unique. The Charter breach is what enterprise compromise looks like in 2026, and the defenses most companies have built are calibrated for 2018 attacks.
The pattern is now consistent enough to predict. An attacker identifies a target with a large customer database concentrated in a SaaS application. They social-engineer one employee with access. They pivot through SSO. They export. They extort. If the company pays, the data may or may not get leaked anyway. If the company refuses, the data definitely gets leaked. Either way, the customers whose records were stolen pay the long-term cost.
Three trends make this attack pattern likely to keep growing:
AI voice cloning lowers the barrier further. A few seconds of audio from a corporate earnings call or public conference is enough to clone an executive's voice. Some vishing operations are already using cloned voices of company leadership to authorize unusual actions. This makes the social engineering side of the attack even harder to detect.
SaaS sprawl concentrates more data per breach. Every additional SaaS application connected via SSO is another export target downstream of a compromised identity. Companies running 50+ SaaS platforms (which is now typical for enterprises) are creating massive concentrations of data behind single identity systems.
Extortion economics keep improving. ShinyHunters and similar groups have established that companies will, often, pay rather than face the reputational cost of a leak. Even when companies refuse, the data sale market is mature enough to monetize the records anyway. The economic incentive points clearly toward more of these attacks, not fewer.
The defensive playbook has to catch up. Identity-first security, phishing-resistant MFA, continuous network and behavior monitoring, and zero-trust segmentation are not optional in 2026. They are the floor.
Wrap up
Charter Communications, one of the largest telecommunications companies in the United States, lost millions of customer records because one employee believed a phone call. The attack required no exotic capability, no zero-day vulnerability, no advanced malware. It required a credible-sounding voice and patience.
The lesson for individuals is that your data is now distributed across hundreds of corporate Salesforce instances, CRM platforms, and SaaS providers you have never heard of. Each one of those is a potential phone call away from being dumped on the dark web. Freezing your credit, using unique passwords, and being skeptical of unsolicited contact are not paranoia. They are baseline hygiene.
The lesson for companies is harder. The technical defenses most enterprises have spent the last 20 years building assume an attacker who tries to break things. The modern attacker just asks nicely. Until the controls that protect against that style of attack (phishing-resistant MFA, conditional access, identity-first monitoring) become standard rather than aspirational, the next ShinyHunters dump is already in motion somewhere.
The phone is ringing. Somebody is going to answer.
Sources include Charter Communications' official statement, reporting by BleepingComputer, The Register, Cybernews, Cyber Insider, eSecurity Planet, and TechRepublic, plus analysis from Have I Been Pwned on the verifiable scope of the published dataset. ShinyHunters' claims regarding exact record counts and CPNI exfiltration remain contested.
Comments 0