ShinyHunters Extortion Gang Leaks 4.9 M Charter Communications Customer Records After Vishing Attack
What Happened – In early April 2026, the ShinyHunters extortion gang compromised a Charter Communications employee’s Microsoft Entra account via a voice‑phishing (vishing) call. The foothold was used to access Charter’s Salesforce instance, where the attackers exfiltrated millions of records and later published 4.9 million customer records on a dark‑web leak site.
Why It Matters for TPRM –
- Large‑scale exposure of personally identifiable information (PII) from a Tier‑1 telecom provider can cascade to downstream vendors and partners.
- The attack vector (vishing) highlights the need for robust identity‑and‑access controls on privileged accounts.
- Public disclosure of the breach may trigger regulatory scrutiny and contractual penalties for organizations that rely on Charter’s services.
Who Is Affected – Telecommunications customers (residential and business), SaaS‑dependent applications that integrate with Charter’s Salesforce data, and any third‑party services that ingest the exposed customer information.
Recommended Actions –
- Review and harden MFA and conditional access policies for all privileged accounts, especially those linked to Microsoft Entra/Azure AD.
- Conduct a data‑flow audit to identify any downstream systems that may have ingested the compromised Salesforce data.
- Verify that contractual security clauses with Charter address breach notification, data handling, and liability.
- Monitor for credential reuse or phishing attempts targeting your organization’s employees.
Technical Notes – Attack vector: voice‑phishing (vishing) leading to compromised Microsoft Entra credentials. Exfiltrated data: names, email addresses, phone numbers, physical addresses, job titles, plan information, support tickets, and limited CPNI. No confirmed theft of highly sensitive CPNI. Source: BleepingComputer