Cyber Incident Victim: Charter Communications
Date:
Apr 2026
Location:
United States of America
Summary
Charter Communications confirmed a cybersecurity incident after the ransomware group ShinyHunters posted the company on a leak site, claiming access via a voice phishing call that compromised an employee’s Microsoft Entra account and allowed export of customer records from Salesforce, including names, emails, addresses, phone numbers, plan details and support ticket data. The firm stated only sales tools were affected and no sensitive personal information was released, while affected customers have filed class‑action lawsuits alleging inadequate safeguards and seeking damages for heightened risk of fraud and identity theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 1, 2026, a voice phishing (vishing) call was used by the ransomware group ShinyHunters to obtain access to a Microsoft Entra account belonging to a Charter Communications employee. Using that compromised credential, the attackers moved laterally into Charter's Salesforce environment. ShinyHunters asserts that from Salesforce they exported millions of records containing customer names, email addresses, home addresses, phone numbers, phone types, service plan information, support ticket details, and some CPNI data. The group posted a notice on its leak site claiming that over 42 million records containing personally identifiable information had been compromised and issued a final warning to Charter to pay a ransom or face public release of the data.
Charter Communications confirmed awareness of the incident and stated that it was following its security protocols while cooperating with law enforcement authorities. The company said that only sales tools used to manage current, past, and prospective business customers were affected and that no customer proprietary network information (CPNI) or sensitive personal information was released by the threat actor. Charter's statement contrasted with ShinyHunters' claim that a broader set of consumer and business records, including some CPNI data, had been exfiltrated. The discrepancy between the company's assessment and the hackers' allegation prompted heightened attention from customers and regulators.
In early June 2026, at least four class-action complaints were filed in federal court in Connecticut, alleging that Charter failed to implement adequate safeguards against the April 2026 cyberattack and that the breach exposed more than 42 million records with personal information. The plaintiffs, including a New York City resident and individuals from Texas and North Carolina, contend that the compromised data increases their risk of fraud, identity theft, and related harms, and they seek unspecified damages. Charter, which reported approximately 31.7 million customers at the end of March 2026, had previously announced in May 2025 an agreement to merge with Cox Communications, with the combined entity slated to retain Charter's Stamford headquarters and for CEO Chris Winfrey to continue in the same role at the newly named Cox Communications.