Charter Communications data breach affects 4.9 million accounts

The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking the U.S. telecom giant Charter Communications in early April, according to data breach notification service Have I Been Pwned.

Charter has over 92,000 employees and provides internet, mobile, video, and voice services to more than 32 million customers and over 57 million homes in 41 states across the U.S. through its Spectrum brand.

The company confirmed the breach earlier this week, saying that the attackers did not steal sensitive personal customer information and that it had alerted authorities about the incident.

"No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity," Charter told BleepingComputer.

While Charter has yet to attribute the attack and has not shared further details, the ShinyHunters extortion gang claimed responsibility and told BleepingComputer that they breached the company's systems on April 1 in a voice phishing (vishing) attack that compromised an employee's Microsoft Entra account.

The threat actors claimed they used this access to steal 42 million records from the company's Salesforce instance, including consumer and business customer names, email addresses, physical addresses, phone numbers, phone types, plan information, support ticket data, and some CPNI data.

After the company refused to pay the ransom demanded by ShinyHunters to have the stolen data returned and destroyed, the cybercrime group leaked the documents stolen from Charter's Salesforce instance on their dark web leak site.

BleepingComputer reached out to Charter again about the extortion gang's claims that they also stole additional CPNI data but was referred back to the company's original statement.

Charter entry on ShinyHunters leak site (BleepingComputer)

Although Charter declined to share further details, including whether threat actors also exfiltrated CPNI data from its systems, Have I Been Pwned analyzed the leaked data and confirmed that the incident affected 4.9 million accounts, whose names, email addresses, job titles, phone numbers, and physical addresses were stolen.

"The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses," Have I Been Pwned said. "A subset of approximately 85k records originating from an internal employee directory also included job titles."

ShinyHunters has been targeting Salesforce customers over the past year, breaching hundreds of companies worldwide and claiming the theft of billions of records in Salesforce Aura data theft attacks and a Salesloft Drift campaign.

The FBI has recently advised ShinyHunters' victims not to give in to the gang's ransom demands, after previously warning that doing so cannot guarantee that threat actors won't attempt to sell the stolen data to other cybercriminals or extort them again.

Charter Communications' systems were also compromised in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon that also impacted AT&T, Verizon, Consolidated Communications, Windstream, and Lumen, as well as telecom companies in dozens of other countries.