📡 Charter Breach: 40M Records at Risk After Vishing Attack
On this page
Charter Communications — the parent company of Spectrum, one of America's largest broadband and cable providers — has confirmed a data breach after the ShinyHunters extortion group threatened to leak 40 million stolen customer records unless a ransom is paid. The attack, which BleepingComputer reported on 26 May 2026, used a voice phishing (vishing) call to compromise an employee's Microsoft Entra account, then pivoted to Salesforce to exfiltrate millions of records containing names, email addresses, phone numbers, and account plan information.
This breach demonstrates a critical vulnerability that affects every organisation and individual: even the strongest password is powerless when an attacker convinces someone to hand over access. The same credential theft techniques that breached Charter are targeting businesses and individuals worldwide, and the stakes have never been higher. Using our TitanPasswords Generator to create unique, strong passwords for every account is your first line of defence, but this attack proves that passwords alone — even strong ones — aren't enough when social engineering is involved.
How the Charter Communications Breach Happened
According to BleepingComputer's investigation, ShinyHunters gained initial access to Charter's systems on April 1, 2026, through a carefully orchestrated voice phishing (vishing) attack. The attackers called a Charter employee, posing as a trusted support organisation, and convinced them to approve a multi-factor authentication (MFA) push notification on their phone.
Once the attacker had MFA approval, they had full access to the employee's Microsoft Entra (formerly Azure Active Directory) account — the single sign-on hub that controls access to every connected application in the organisation. From there, they navigated to Charter's Salesforce instance, a customer relationship management platform containing millions of customer records.
Using the SSO access, the threat actors exported customer data including names, email addresses, physical addresses, phone numbers, phone type, plan information, and some customer proprietary network information (CPNI). They then listed Charter on their dark web leak site and threatened to release the full dataset unless the company paid a ransom.
This exact pattern — vishing → MFA fatigue → SSO compromise → SaaS data theft — has been used by ShinyHunters in dozens of breaches over the past year. Earlier in May 2026, the group used an identical technique against 7-Eleven (exposing 185,300 customer records), Instructure (affecting 275 million student accounts across Canvas), and McGraw-Hill (135 million accounts).
What Is Vishing and Why Is It So Effective?
Vishing — voice phishing — is social engineering over the phone. Attackers call a target, impersonate someone from IT support, a vendor, or a trusted partner, and manipulate the victim into taking an action that compromises security. In Charter's case, the caller convinced the employee to approve an MFA push notification that the attacker had triggered moments earlier.
The technique exploits a well-known vulnerability in push-based MFA called MFA fatigue (also known as prompt bombing). Here is how it works:
- The attacker already has the victim's password — sourced from a breached credential database on the dark web
- The attacker initiates a login to the company's VPN or Microsoft 365 portal, triggering an MFA push notification to the employee's phone PureVPN — Secure Your Connection
- The employee sees "Approve sign-in request?" — often multiple times in quick succession
- After enough repeated prompts, or combined with a convincing phone call, the employee eventually approves
- The attacker is now logged in as a legitimate user, bypassing MFA entirely
As we detailed in our MFA Methods for Banking Security 2026 guide, push notifications rank in the middle of the security spectrum — better than SMS codes, but vulnerable to exactly this kind of fatigue attack. The Cisco breach of 2022 followed nearly the same script: an attacker obtained a password from a synced browser, bombarded the employee with MFA prompts, and combined it with vishing calls to eventually log in.
Who Is ShinyHunters?
ShinyHunters has emerged as one of the most prolific extortion groups in cybersecurity. Originally known for selling stolen databases on dark web marketplaces, the group has shifted to a data extortion model — breaching companies, stealing data, and threatening to leak it unless paid.
The group has claimed responsibility for breaches at dozens of major organisations including the European Commission, Google, Cisco, Match Group (Tinder, Hinge, OkCupid), ADT (5.5 million customers), Medtronic, Rockstar Games, PornHub, Vimeo, Zara, and MANGO. The FBI has issued a public service announcement advising victims not to pay ShinyHunters' ransoms, warning that paying does not guarantee the data won't be sold or used for further extortion.
ShinyHunters' signature technique is targeting Salesforce environments through compromised SSO credentials. They breach integration companies like Salesloft and Drift to steal OAuth tokens that grant access to downstream Salesforce instances. At scale, the group claims to have stolen over 15 billion records through these Salesforce-focused campaigns.
What the Charter Breach Means for Spectrum Customers
If you are a Spectrum customer, here is what you need to know:
- Names, emails, addresses, and phone numbers may have been exposed — even if Charter's official statement says no "sensitive personal information" was stolen, ShinyHunters claims otherwise. The leaked data almost certainly contains personally identifiable information (PII).
- Expect phishing attempts — with your name, email, phone number, and account plan details, attackers have everything they need to craft convincing phishing emails, SMS messages, and phone calls targeting you directly.
- Monitor your financial accounts — exposed email addresses and phone numbers are commonly used for credential stuffing attacks against bank portals, cryptocurrency exchanges, and payment platforms.
How to Protect Yourself After the Charter Breach
1. Use a Password Manager With Strong, Unique Credentials
The single most effective step you can take is to ensure every one of your online accounts uses a unique, complex password. A TitanPasswords-generated password of 20+ characters with full complexity is effectively uncrackable by any brute-force method. For your most critical accounts — email, banking, and password manager master password — we recommend following the Three-Tier Password Strategy, which matches password strength to the sensitivity of each account.
Our guide to the Best Password Managers for Banking Security in 2026 provides a detailed comparison of 1Password, Bitwarden, Dashlane, Keeper, and NordPass, with a focus on encryption standards, breach history, and features that protect financial credentials. Using a dedicated password manager eliminates the risk of password reuse — the primary vulnerability that enables credential stuffing after a breach like Charter's. Try NordPass ➔ 🎓 Save 50% Off
2. Enable Phishing-Resistant MFA
Push notifications are the weakest form of MFA because they rely on the user to make a security decision with almost no contextual information. FIDO2 hardware security keys (like YubiKey) and passkeys are phishing-resistant — they cannot be approved remotely, cannot be tricked by a vishing call, and are cryptographically bound to the specific website or service.
If hardware keys are not immediately feasible, switch to an authenticator app with number matching (such as Microsoft Authenticator or Google Authenticator) instead of push-only notifications. Number matching requires the user to type a displayed number into the phone, making it much harder for an attacker to socially engineer approval.
3. Use a VPN on Public Wi-Fi
Charter being a broadband provider means many of its customers use its internet connections at home. On public or untrusted Wi-Fi networks, an attacker who has your credentials — or who can intercept your traffic — is far more dangerous. A VPN encrypts all your traffic so that even if someone is monitoring the network, they cannot see what you are doing. For Charter customers, protecting your connection with a trusted VPN service adds a critical layer of privacy that data breaches cannot bypass.
4. Monitor for Phishing and Vishing Attempts
After any data breach where your contact information is exposed, expect an increase in phishing attempts. Scammers will use the leaked data to make their messages more convincing — they already know your name, your phone number, and which services you use. Never approve an unexpected MFA prompt. Never give out a one-time passcode over the phone. If someone calls claiming to be from your internet provider, IT department, or bank, hang up and call the official number directly.
Tools like the TrustyPassword phishing link checker can help you identify suspicious links before you click them. The same social engineering techniques that breached Charter — vishing and MFA fatigue — are the most common ways attackers bypass strong passwords, so knowing how to recognise them is just as important as having strong credentials.
5. Run a Security Check on Your Accounts
Visit Have I Been Pwned (HIBP) to check whether your email address appears in the Charter breach or any of the other breaches ShinyHunters has been involved in. If your credentials appear in any breach, change that password immediately and enable MFA on the account if you have not already. Bitwarden and 1Password both include built-in breach monitoring that alerts you when saved credentials appear in known data breaches.
Ensure your devices are protected against malware that could steal passwords saved in browsers. Using a comprehensive security suite like Kaspersky Antivirus can help detect and block infostealer malware, which is one of the primary ways attackers obtain the passwords they use in vishing and MFA fatigue attacks.
The Bigger Picture: Credential Theft in 2026
The Charter breach is not an isolated incident. The FBI Internet Crime Complaint Center (IC3) recorded over $4.3 billion in financial losses from cybercrime in 2024, with compromised credentials accounting for more than 40% of those incidents. The 2025 Verizon Data Breach Investigations Report (DBIR) found that 86% of web application breaches involve stolen or weak credentials. And according to IBM's Cost of a Data Breach 2025 report, the average breach now costs organisations $4.88 million.
The UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) both recommend moving away from SMS and push-based MFA toward phishing-resistant authentication methods. NIST SP 800-63B guidelines explicitly deprecate SMS-based MFA and recommend FIDO2/WebAuthn as the preferred second factor.
What the Charter breach demonstrates is that even companies with mature security programs are vulnerable when the attack targets human psychology rather than technical vulnerabilities. The solution is not a single tool but a layered approach: strong, unique passwords managed through a password manager, phishing-resistant MFA, vigilance against social engineering, and regular monitoring of your digital footprint.
FAQs
Was my Spectrum account data stolen in the Charter breach?
It is possible. ShinyHunters claims to have stolen 40 million records containing customer information including names, email addresses, phone numbers, addresses, and account plan details. Charter's official statement says no "sensitive personal information" was stolen, but the threat actor disputes this. If you are a Spectrum customer, check your email on Have I Been Pwned and change your passwords as a precaution.
Does the Charter breach affect my Spectrum username and password?
Charter has not confirmed whether Spectrum account passwords were taken. The primary data exfiltrated was from Salesforce, which contains customer relationship data (names, contact info, plan details) rather than authentication credentials. However, you should still change your Spectrum password and enable MFA on your account.
What is the difference between phishing and vishing?
Phishing uses email or text messages to trick victims into clicking malicious links or revealing information. Vishing (voice phishing) uses phone calls, with attackers impersonating trusted contacts — IT support, bank representatives, or vendor support — to manipulate victims into approving MFA requests or sharing credentials. The Charter breach used vishing specifically.
Can MFA be bypassed?
Yes, MFA can be bypassed in specific scenarios. Push-based MFA is vulnerable to MFA fatigue/prompt bombing, where attackers repeatedly trigger approvals until the user gives in. SMS-based MFA is vulnerable to SIM-swapping. The only MFA methods that are considered phishing-resistant are FIDO2 hardware keys and passkeys, which are cryptographically bound to specific services.
Should I stop using Spectrum after this breach?
Breaches at major ISPs are unfortunately common — Comcast, AT&T, T-Mobile, and Verizon have all suffered significant breaches in recent years. The most important action is not which provider you use, but how well you protect your accounts: strong unique passwords, phishing-resistant MFA, and vigilance against social engineering will protect you regardless of which providers suffer future breaches.