Cybersecurity May 27, 2026 · 3 min read

Charter Communications Confirms 40 Million Customer Records Stolen After ShinyHunters Called an Employee and Asked Nicely — The Entire Zero-Trust Architecture Was Defeated by a Phone Call on April Fools’ Day

🤚 The Open-Palm Breach Notification

Charter Communications, the telecommunications conglomerate that serves roughly 30 million customers under the Spectrum brand, has confirmed that ShinyHunters — the extortion collective with a résumé longer than your cable contract — breached them on April 1, 2026, and walked away with an alleged 40 million customer records.

The attack method? Not a zero-day. Not a supply chain compromise. Not a sophisticated nation-state intrusion framework. A phone call.

ShinyHunters used a voice phishing (vishing) attack to compromise a single employee’s Microsoft Entra account. From there, they pivoted directly into Charter’s Salesforce instance and exported millions of consumer and business customer records like they were running a quarterly report.

The stolen data reportedly includes:

  • Customer names, email addresses, and physical addresses
  • Phone numbers and phone types
  • Plan information and customer support ticket data
  • Some Customer Proprietary Network Information (CPNI)

👐 The Two-Handed Corporate Denial

Charter, displaying the confidence of a company whose entire CRM was just downloaded by strangers, released a statement insisting that “no sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor.”

ShinyHunters, displaying the confidence of a group holding 40 million records, would like to respectfully disagree.

This is the corporate security equivalent of someone photographing your entire diary and you insisting they didn’t see anything important. The records include names, addresses, phone numbers, and account details — which, in what universe, do not constitute “sensitive personal information”? Apparently, the universe where your legal department writes your breach notifications.

The real indignity here is the attack vector. Microsoft Entra — formerly Azure Active Directory, rebranded because the old name wasn’t sufficiently abstract — was compromised via a phone call. Not a sophisticated exploit chain. Not a cryptographic flaw. Someone called an employee, pretended to be someone they weren’t, and received the keys to 40 million customer profiles. The entire zero-trust architecture, the conditional access policies, the multi-factor authentication — all of it bypassed by the oldest hacking technique in existence: being persuasive on the telephone.

🌿 The Gentle Awakening

If the name ShinyHunters sounds familiar, it should. Regular readers of this publication may recall their starring role in the Canvas LMS breach that exposed 275 million student records just weeks ago, or the 7-Eleven data breach that leaked 185,000 records this month. ShinyHunters aren’t having a good year — they’re having a legendary year, and the rest of us are funding it with our customer data.

Their specialty is social engineering campaigns targeting corporate SSO accounts. They don’t need to find vulnerabilities in your software because they’ve found a much more reliable vulnerability: your employees. Every company invests millions in firewalls, endpoint detection, and threat intelligence platforms, and then a 22-year-old with a spoofed caller ID walks through the front door carrying a metaphorical crowbar labeled “Hi, I’m from IT.”

The pattern is now unmistakable. Salesforce, Microsoft Entra, and corporate SSO are the new attack surface, and the exploit isn’t technical — it’s theatrical.

👑 The Gold-Leaf Reckoning

Here is what 40 million records means in practical terms: Charter/Spectrum is the second-largest cable operator in the United States. If ShinyHunters’ claims are accurate, they now possess the personal information of a population roughly equivalent to the entire state of California. The breach happened on April 1st — yes, April Fools’ Day — and was only confirmed publicly on May 26th, nearly two months later. Your records were stolen, catalogued, and threatened with publication before you even knew they were gone.

The telecom industry has spent the last decade consolidating into a handful of mega-corporations, each holding unfathomable amounts of customer data in CRM platforms that were designed for sales efficiency, not adversarial resistance. Salesforce is not a vault. It is a searchable, exportable, beautifully indexed database of everything a threat actor could want, accessible to anyone with the right SSO token. And the right SSO token, apparently, costs one convincing phone call.

Charter will send breach notification letters. Customers will receive free credit monitoring. A CISO will update a slide deck. And ShinyHunters will move on to the next company that thinks its identity provider is a security boundary rather than a suggestion.

“The attacker called on April Fools’ Day and the company didn’t realize the joke was on them until Memorial Day weekend. We’re told the hold music was lovely.” — The Slap of Wisdom Incident Response Desk, currently screening all calls from unknown numbers