ShinyHunters Alleges 42M Records Stolen from Charter Communications
Voice phishing is becoming a cloud security problem, not just a help desk problem.
Charter Communications confirmed a cybersecurity incident after the ShinyHunters extortion group claimed it had stolen customer data and threatened to leak it unless a ransom was paid. The company, which operates under the Spectrum brand, said it is investigating the incident and coordinating with authorities.
“The Charter breach is a reminder that the most sophisticated security stack in the world can be undone by a convincing phone call,” Andrew Chipman, GRC manager at ProCircular, said in an email to eSecurityPlanet.
Key takeaways of the Charter Communications incident
According to BleepingComputer:
- Charter Communications confirmed an incident after the ShinyHunters group claimed it stole customer data from the company’s environment.
- The threat actor alleged the breach began with a vishing attack that compromised a Microsoft Entra account and enabled access to Charter’s Salesforce environment.
- ShinyHunters claimed it stole more than 42 million customer records, though Charter denied that sensitive personal information (CPNI) was exfiltrated.
Inside the Charter incident
The alleged breach highlights the growing threat posed by social engineering campaigns targeting cloud identity platforms and enterprise SaaS environments.
According to BleepingComputer, the ShinyHunters extortion group claimed it gained access to Charter Communications systems through a voice phishing (vishing) attack that compromised an employee’s Microsoft Entra account.
The attackers allegedly used that access to gain entry to the company’s Salesforce environment, where they exported large volumes of customer data.
What data was allegedly stolen
While Charter stated that sensitive personal information and customer proprietary network information (CPNI) were not exfiltrated, ShinyHunters claimed it stole more than 42 million customer records.
According to the threat actor, the data included names, email addresses, phone numbers, physical addresses, plan details, and customer support ticket information.
Charter did not confirm the scale of the alleged theft and instead reiterated its original statement denying exposure of sensitive customer data.
Advertisement
Identity platforms are increasingly targeted
The incident demonstrates how a single compromised identity account can create broader exposure across interconnected cloud services.
Many organizations now rely on single sign-on (SSO) platforms such as Microsoft Entra, Okta, and Google Workspace to manage authentication across business-critical SaaS applications.
As a result, attackers increasingly target identity systems because compromising a single account can provide access to platforms such as Salesforce, Microsoft 365, Slack, Zendesk, and Dropbox.
ShinyHunters’ broader campaigns
ShinyHunters has been linked to several SaaS-focused extortion campaigns over the past year, particularly targeting Salesforce environments and stolen OAuth tokens associated with third-party integrations.
The group was also reportedly connected to attacks targeting education technology provider Instructure, which disrupted Canvas services and allegedly exposed data associated with tens of millions of students.
How organizations can reduce risk
Attackers continue to target single sign-on platforms, third-party integrations, and authentication workflows to access enterprise systems.
To reduce risk, organizations should adopt a layered security approach that includes stronger identity protections, improved SaaS monitoring, and tested incident response plans.
- Implement phishing-resistant MFA, conditional access policies, and device trust requirements to reduce the risk of credential theft and unauthorized access to SaaS.
- Monitor SaaS environments for unusual login activity, abnormal OAuth consent grants, and large-scale data exports that may indicate account compromise.
- Restrict OAuth application permissions, regularly audit third-party integrations, and rotate API tokens to limit persistent attacker access.
- Enforce least-privilege access controls and separate administrative accounts from standard user accounts to reduce opportunities for lateral movement.
- Deploy data loss prevention (DLP) policies and role-based restrictions to better control access to sensitive customer and business data.
- Conduct regular employee training focused on vishing, MFA fatigue attacks, and impersonation tactics used in social engineering campaigns.
- Test incident response plans and use attack-simulation tools with scenarios involving identity compromise.
Collectively, these steps can help organizations build resilience against identity-based attacks while reducing exposure across cloud and SaaS environments.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
About Author
