ShinyHunters dumped personal data on 4.9 million Charter Communications accounts after Charter refused to pay the gang’s ransom, turning an April 1 network intrusion into a public exposure.
The breach started with a voice phishing attack that compromised a Charter employee’s Microsoft Entra account. ShinyHunters used that access to pull 42 million records from Charter’s Salesforce instance: customer names, email addresses, physical addresses, phone numbers, plan details, and support ticket data. Charter told BleepingComputer that no sensitive personal information or customer proprietary network information (CPNI) was taken; CPNI is a federally protected category under 47 U.S.C. § 222 that triggers mandatory breach reporting. ShinyHunters disputed that claim, saying CPNI was among the stolen files. Have I Been Pwned analyzed the published data and confirmed 4.9 million unique email addresses exposed, alongside names, phone numbers, and physical addresses. An internal employee subset of roughly 85,000 records also included job titles.
Charter can’t claim isolated bad luck. The same company was also hit by Salt Typhoon, the Chinese state-backed group that compromised AT&T, Verizon, and other U.S. carriers in the same period. ShinyHunters’ entry point was voice phishing a single employee to access a Salesforce instance holding tens of millions of records, the same vector the group has used against hundreds of companies in the past year.
The FBI’s Internet Crime Complaint Center warned on May 15 that paying ShinyHunters’ ransom doesn’t guarantee data deletion or prevent future extortion. Charter didn’t pay. The price: 4.9 million customer records, now indexed on the dark web.
James Okafor