Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Communications, the U.S. telecommunications company behind the Spectrum brand, has confirmed a cybersecurity incident after the ShinyHunters extortion group claimed it stole and listed 42 million Charter records on the Dark Web.
The breach gained wider attention after Have I Been Pwned added the incident to its breach database, confirming 4.9 million unique email addresses in the exposed dataset. The confirmed exposed data includes email addresses, names, phone numbers, physical addresses, and job titles.
Breach at a glance:
- Unique email addresses: 4.9 million
- Threat actor claim: More than 42 million records stolen
- Breach timeframe: April-May 2026
- Initial access claim: Voice phishing targeting a Microsoft Entra account
- Affected environment claim: Salesforce instance
How Did the Charter Data Breach Happen?
According to ShinyHunters’ claims, the attack began with a voice phishing, or vishing, attempt against a Charter employee. The attackers allegedly compromised a Microsoft Entra account and used that access to reach Charter’s Salesforce environment.
From there, the group claimed it exfiltrated consumer and business customer data, including names, email addresses, physical addresses, phone numbers, plan information, customer support ticket data, and some Customer Proprietary Network Information, known as CPNI. Charter has disputed the claim that sensitive personal information or CPNI was taken.

ShinyHunters Dark Web listing for Charter Communications, claiming 42M+ records available
What Did ShinyHunters Post on the Dark Web?
SOCRadar’s Dark Web Monitoring module detected a ShinyHunters post on May 28, 2026, announcing the release of the alleged Charter dataset. The post followed the group’s usual “pay or leak” extortion pattern: pressure the victim through public exposure after failed negotiations.
The “Updated: 28 May 2026” timestamp on the listing suggests the dataset may have been refreshed, re-listed, or re-promoted. Security teams should treat this activity as an ongoing exposure risk rather than a closed incident.

ShinyHunters forum post announcing the full Charter data release, detected by SOCRadar Dark Web Monitoring on May 28, 2026. (SOCRadar Dark Web News)
What Data Was Exposed in the Charter Breach?
Have I Been Pwned’s Charter breach page lists 4.9 million affected accounts and confirms the following exposed data types:
- Email addresses
- Names
- Phone numbers
- Physical addresses
- Job titles
A subset of approximately 85,000 records reportedly came from Charter’s internal employee directory, which explains the presence of job titles in the leaked dataset.

HIBP breach detail page for Charter Communications, confirming 4.9 million exposed accounts.
How Did Charter Respond?
Charter confirmed that it was aware of the incident and had begun notifying the appropriate authorities. However, the company rejected the most sensitive parts of the attacker’s claims.
Charter stated that no sensitive personal information or CPNI data was exfiltrated as a result of the recent activity.
That leaves a key gap between Charter’s public statement and ShinyHunters’ claims. HIBP confirmed exposure of contact and identity-related data, but its public breach entry does not confirm CPNI exposure.
Is the Charter Breach Part of a Broader ShinyHunters Campaign?
The Charter incident does not appear to be isolated. Around the same time, Kemper Corporation was also added to Have I Been Pwned’s breach database in connection with a ShinyHunters campaign involving Salesforce access through social engineering.
All in all, Charter appears to be one of multiple organizations recently named in ShinyHunters activity involving cloud-hosted business data.
Why This Breach Matters for Security Teams
The Charter breach shows how a single compromised identity can create a path into business-critical cloud applications. Vishing attacks are especially difficult to stop because they target people, trust, and routine help desk workflows rather than only technical vulnerabilities.
For organizations using Salesforce or similar cloud CRM platforms, this incident highlights the need to:
- Enforce phishing-resistant MFA for privileged users
- Review Microsoft Entra and SaaS access logs for unusual activity
- Monitor bulk exports and abnormal API activity
- Audit third-party integrations and connected applications
- Limit access to customer records based on role and business need
- Train help desk and IT teams to detect social engineering attempts
Dark web re-listing also creates a long-tail risk. Once attackers publish or trade stolen records, phishing, impersonation, and fraud attempts can continue for months or years.
Monitor Exposure With SOCRadar Dark Web Monitoring
SOCRadar’s Dark Web Monitoring module continuously scans hacker forums, leak sites, and underground marketplaces for exposed company data, employee credentials, and threat actor mentions.
In incidents like the Charter breach, early Dark Web detection helps security teams understand when organizational data appears in underground channels, assess the exposure, and respond before the incident escalates publicly.

SOCRadar’s Dark Web Monitoring
What Should Charter and Spectrum Customers Do Now?
Charter and Spectrum customers should treat this breach as a phishing and impersonation risk. Exposed contact details can help attackers create convincing emails, phone calls, or text messages that appear to come from Charter, Spectrum, a bank, or another trusted service.
To reduce risk, affected customers should:
- Be cautious with unexpected calls, emails, or texts asking for account details, payment information, verification codes, or password resets.
- Do not click links in unsolicited messages. Visit official websites directly or use trusted mobile apps instead.
- Change reused passwords, especially on email, banking, telecom, and streaming accounts.
- Enable multi-factor authentication wherever it is available.
- Watch for account changes, including new contact details, service updates, billing changes, or unauthorized support requests.
- Monitor financial statements for suspicious charges if personal details were exposed.
- Report suspicious messages to Charter/Spectrum support and avoid sharing one-time passcodes with anyone.
For security teams, SOCRadar’s Threat Actor Tracking can help follow ShinyHunters’ activity across Dark Web forums, leak sites, and other underground sources. Tracking the actor’s posts, claimed victims, and campaign patterns can provide earlier visibility into whether an organization appears in related discussions or follow-on extortion activity.

Threat actor card of ShinyHunters
The most important step is to stay alert. Even when a breach does not expose passwords or payment data, attackers can still use names, phone numbers, addresses, and email addresses to make social engineering attempts more believable.
