Charter confirms data breach after ShinyHunters extortion threat
by Lawrence Abrams · BleepingComputerU.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.
Charter Communications is one of the largest broadband providers in the United States, serving tens of millions of residential and business customers through its Spectrum brand.
In a statement shared this weekend, the company said it is alerting authorities about the incident and that no sensitive personal customer information was stolen.
"We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities," Charter told BleepingComputer.
"No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity."
ShinyHunters extorting Charter
This statement follows Charter's listing on the ShinyHunters data leak site, where attackers claimed to have stolen 40 million records containing the personal information of consumer and business customers.
ShinyHunters claimed to BleepingComputer that they breached Charter on April 1 through a voice phishing (vishing) attack that compromised an employee's Microsoft Entra account.
The threat actors used this access to export millions of consumer and business customer records from the company's Salesforce instance.
According to the threat actor, the stolen records contain customer names, email addresses, addresses, phone numbers, phone type, plan information, and some CPNI data. The threat actor also claims to have stolen customer support ticket data.
BleepingComputer contacted Charter again about the threat actor's claims that additional customer data, including some CPNI, was stolen but was referred back to the company's original statement.
Since last year, the extortion group has been conducting widespread social engineering campaigns that target employees and BPO agents' Microsoft Entra, Okta, and Google SSO accounts.
After gaining access to a corporate SSO account, the threat actors steal data from connected SaaS applications such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, Dropbox, and many others.
This stolen data is then used to extort the company by threatening to leak the data if a ransom is not paid.
Salesforce has been a popular target of the extortion gang, with the threat actors breaching numerous integration companies to steal OAuth tokens that can then be used to access Salesforce instances.
More recently, ShinyHunters conducted multiple attacks against the education technology firm Instructure, resulting in Canvas outages and the theft of data from tens of millions of students.
Instructure said it ultimately reached an "agreement" with the extortion gang, meaning it likely paid a ransom to prevent the public release of the stolen data.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.