Charter Communications confirms cybersecurity breach following ShinyHunters extortion threat

News27 May 2026

Charter Communications, one of the largest telecommunications and broadband providers in the United States, confirmed a cybersecurity incident after the ShinyHunters extortion group claimed it stole tens of millions of customer records from the company’s systems.

The company said it is investigating the incident and coordinating with authorities following claims by the threat group that it had accessed internal systems and extracted customer-related data.

“We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities,” Charter said in a statement. The company added that no sensitive personal information or customer proprietary network information was exfiltrated during the incident.

Charter Communications operates under the Spectrum brand and provides broadband internet, mobile, cable television, and phone services to tens of millions of residential and business customers across the country.

The ShinyHunters extortion group claimed it breached Charter on April 1 through a voice phishing attack that compromised an employee’s Microsoft Entra account. The attackers said they used that access to extract customer records from the company’s Salesforce environment.

The threat actors alleged the stolen information included customer names, email addresses, physical addresses, phone numbers, phone types, plan details, customer support ticket information, and some customer proprietary network information. The group claimed the breach involved approximately 40 million to 42 million records, although those figures have not been independently verified.

The group posted Charter Communications on its leak site and warned that the data would be released publicly if negotiations were not initiated before May 27, 2026.

Charter has not confirmed how attackers gained access to its systems, whether internal services were disrupted, or how many customers may have been affected. The company also has not announced whether customer notifications will be issued.

The incident is part of a broader campaign targeting enterprise cloud environments and Salesforce-connected systems. Over the past year, ShinyHunters has carried out social engineering attacks aimed at compromising employee and third-party contractor accounts tied to Microsoft Entra, Okta, and Google single sign-on services.

After gaining access to enterprise authentication systems, the group has targeted connected cloud platforms including Salesforce, Microsoft 365, Slack, Zendesk, Google Workspace, SAP, Dropbox, Adobe, Atlassian, and other software-as-a-service environments.