ShinyHunters leaks Spectrum customer data after Charter ransom refusal

Charter Communications, the company behind Spectrum internet, cable, and mobile service, has confirmed a data breach after the ShinyHunters extortion group published stolen customer records when its May 27 ransom deadline passed without a response.

ShinyHunters told BleepingComputer the breach occurred on April 1 through a voice phishing attack targeting a Charter employee's Microsoft Entra account. No technical barrier was broken. Someone called, impersonated IT support, and walked away with valid credentials. The attackers used that access to export customer records from Charter's Salesforce instance before the intrusion was detected.

What was leaked

The Cybernews research team confirmed ShinyHunters published data covering at least 13 million individuals alongside nearly 10 million customer support ticket records. Most of the customer data originates from Spectrum Enterprise, the division serving large businesses, corporations, and government agencies. A separate internal employee directory subset of around 85,000 records was also exposed, containing job titles, work emails, and in a limited number of cases, home addresses.

Published customer records include names, email addresses, physical addresses, phone numbers, phone type, and plan information. ShinyHunters originally claimed 40 to 42 million records, a figure that exceeds Charter's entire US customer base of 32 million. Cybernews noted the dataset likely contains duplicates. Have I Been Pwned, via BleepingComputer, confirmed 4.9 million unique email addresses and added them to its database.

Charter and ShinyHunters disagree on CPNI

The most consequential dispute concerns Customer Proprietary Network Information, a federally protected category covering call records, service subscriptions, and usage patterns. Charter told BleepingComputer that no sensitive personal information or CPNI data was exfiltrated. ShinyHunters claims the opposite. With the data now publicly posted, independent researchers are in a position to assess both claims.

The broader pattern here is hard to miss. ShinyHunters has worked through a string of major targets in 2026 using the same general approach: compromise a cloud identity or SSO account through social engineering, pivot into connected SaaS platforms, export data at scale, and set a ransom deadline. Carnival Corporation was hit in April after attackers accessed systems through a third-party account. ADT, Aura, and Panera were also caught in the same campaign window. Charter did not engage before May 27. The data is now public.

Spectrum customers should change their account password, enable two-factor authentication, and treat unexpected contact claiming to be from Charter or Spectrum with caution. Have I Been Pwned can confirm whether your email address was exposed. A credit freeze at Equifax, Experian, and TransUnion is free, reversible, and prevents new accounts from being opened in your name.