Charter Communications data breach affects 4.9 million accounts
In early April 2026, the ShinyHunters extortion gang compromised Charter Communications, a major U. S. telecom provider, via a voice phishing attack that targeted an employee's Microsoft Entra account. The attackers accessed and exfiltrated approximately 42 million records from Charter's Salesforce instance, including personal information such as names, email addresses, phone numbers, physical addresses, job titles, plan details, and some customer proprietary network information (CPNI). Although Charter confirmed the breach, it stated that no sensitive personal information or CPNI was exfiltrated, a claim contested by the extortion gang and independent analysis. The stolen data of 4. 9 million accounts was later leaked on the dark web after Charter refused to pay ransom demands. The FBI has advised victims not to pay ransoms, warning that payment does not guarantee data protection. This incident is part of a broader pattern of ShinyHunters targeting Salesforce customers globally. Charter has alerted authorities and declined to provide further details on the breach.
AI Analysis
Technical Summary
The ShinyHunters extortion group conducted a successful attack on Charter Communications in April 2026 by compromising an employee's Microsoft Entra account through a voice phishing (vishing) attack. Using this access, they extracted approximately 42 million records from Charter's Salesforce environment, including personal and business customer data such as names, emails, phone numbers, physical addresses, job titles, plan information, support tickets, and some CPNI data. Despite Charter's statement denying exfiltration of sensitive personal or CPNI data, analysis by Have I Been Pwned confirmed that 4.9 million unique accounts were affected, with data subsequently leaked on the dark web after ransom demands were refused. The breach highlights ongoing risks to Salesforce customers from targeted attacks by ShinyHunters. Charter has involved law enforcement and has not disclosed further technical details or remediation steps publicly.
Potential Impact
The breach exposed personal information of approximately 4.9 million Charter Communications accounts, including names, email addresses, phone numbers, physical addresses, and job titles for a subset of records. The exposure of this data can lead to increased risks of identity theft, phishing, and targeted social engineering attacks against affected individuals. Although Charter denies that sensitive personal information or CPNI was exfiltrated, the presence of some CPNI data in the stolen records as claimed by the attackers and independent analysis raises concerns about potential regulatory and privacy implications. The leak on the dark web increases the likelihood of misuse of the data by other malicious actors. No confirmed exploitation in the wild has been reported at this time.
Mitigation Recommendations
Charter Communications has confirmed the breach and involved law enforcement authorities. The company has not disclosed specific remediation measures publicly. Since this incident involved compromise of an employee's Microsoft Entra account via voice phishing, organizations should reinforce phishing awareness training and implement strong multi-factor authentication controls for privileged accounts. Affected customers should be notified and advised to monitor for suspicious communications. The FBI advises victims not to pay ransom demands, as payment does not guarantee data protection. Patch status is not applicable as this was a social engineering attack rather than a software vulnerability. Check official Charter Communications advisories for updates and guidance.
Charter Communications data breach affects 4.9 million accounts
Description
In early April 2026, the ShinyHunters extortion gang compromised Charter Communications, a major U. S. telecom provider, via a voice phishing attack that targeted an employee's Microsoft Entra account. The attackers accessed and exfiltrated approximately 42 million records from Charter's Salesforce instance, including personal information such as names, email addresses, phone numbers, physical addresses, job titles, plan details, and some customer proprietary network information (CPNI). Although Charter confirmed the breach, it stated that no sensitive personal information or CPNI was exfiltrated, a claim contested by the extortion gang and independent analysis. The stolen data of 4. 9 million accounts was later leaked on the dark web after Charter refused to pay ransom demands. The FBI has advised victims not to pay ransoms, warning that payment does not guarantee data protection. This incident is part of a broader pattern of ShinyHunters targeting Salesforce customers globally. Charter has alerted authorities and declined to provide further details on the breach.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The ShinyHunters extortion group conducted a successful attack on Charter Communications in April 2026 by compromising an employee's Microsoft Entra account through a voice phishing (vishing) attack. Using this access, they extracted approximately 42 million records from Charter's Salesforce environment, including personal and business customer data such as names, emails, phone numbers, physical addresses, job titles, plan information, support tickets, and some CPNI data. Despite Charter's statement denying exfiltration of sensitive personal or CPNI data, analysis by Have I Been Pwned confirmed that 4.9 million unique accounts were affected, with data subsequently leaked on the dark web after ransom demands were refused. The breach highlights ongoing risks to Salesforce customers from targeted attacks by ShinyHunters. Charter has involved law enforcement and has not disclosed further technical details or remediation steps publicly.
Potential Impact
The breach exposed personal information of approximately 4.9 million Charter Communications accounts, including names, email addresses, phone numbers, physical addresses, and job titles for a subset of records. The exposure of this data can lead to increased risks of identity theft, phishing, and targeted social engineering attacks against affected individuals. Although Charter denies that sensitive personal information or CPNI was exfiltrated, the presence of some CPNI data in the stolen records as claimed by the attackers and independent analysis raises concerns about potential regulatory and privacy implications. The leak on the dark web increases the likelihood of misuse of the data by other malicious actors. No confirmed exploitation in the wild has been reported at this time.
Mitigation Recommendations
Charter Communications has confirmed the breach and involved law enforcement authorities. The company has not disclosed specific remediation measures publicly. Since this incident involved compromise of an employee's Microsoft Entra account via voice phishing, organizations should reinforce phishing awareness training and implement strong multi-factor authentication controls for privileged accounts. Affected customers should be notified and advised to monitor for suspicious communications. The FBI advises victims not to pay ransom demands, as payment does not guarantee data protection. Patch status is not applicable as this was a social engineering attack rather than a software vulnerability. Check official Charter Communications advisories for updates and guidance.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/","fetched":true,"fetchedAt":"2026-05-29T08:33:32.298Z","wordCount":793}
Threat ID: 6a194f5ce29bf47b50baa9cd
Added to database: 5/29/2026, 8:33:32 AM
Last enriched: 5/29/2026, 8:33:45 AM
Last updated: 5/29/2026, 6:14:16 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.