The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking the U.S. telecom giant Charter Communications in early April, according to data breach notification service Have I Been Pwned.
Charter has over 92,000 employees and provides internet, mobile, video, and voice services to more than 32 million customers and over 57 million homes in 41 states across the U.S. through its Spectrum brand.
The company confirmed the breach earlier this week, saying that the attackers did not steal sensitive personal customer information and that it had alerted authorities about the incident.
“No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity,” Charter told BleepingComputer.
While Charter has yet to attribute the attack and has not shared further details, the ShinyHunters extortion gang claimed responsibility and told BleepingComputer that they breached the company’s systems on April 1 in a voice phishing (vishing) attack that compromised an employee’s Microsoft Entra account.
The threat actors claimed they used this access to steal 42 million records from the company’s Salesforce instance, including consumer and business customer names, email addresses, physical addresses, phone numbers, phone types, plan information, support ticket data, and some CPNI data.
However, Charter spokesperson denied the gang’s claims of CPNI data theft and said that “only sales tools used to manage current, past and prospective Business customers were impacted; no CPNI or sensitive PI was released by the threat actor.”
After the company refused to pay the ransom demanded by ShinyHunters to have the stolen data returned and destroyed, the cybercrime group leaked the documents stolen from Charter’s Salesforce instance on their dark web leak site.
Have I Been Pwned analyzed the leaked data and confirmed that the incident affected 4.9 million accounts, whose names, email addresses, job titles, phone numbers, and physical addresses were stolen.
“The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses,” Have I Been Pwned said. “A subset of approximately 85k records originating from an internal employee directory also included job titles.”
ShinyHunters has been targeting Salesforce customers over the past year, breaching hundreds of companies worldwide and claiming the theft of billions of records in Salesforce Aura data theft attacks and a Salesloft Drift campaign.
The FBI has recently advised ShinyHunters’ victims not to give in to the gang’s ransom demands, after previously warning that doing so cannot guarantee that threat actors won’t attempt to sell the stolen data to other cybercriminals or extort them again.
Charter Communications’ systems were also compromised in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon that also impacted AT&T, Verizon, Consolidated Communications, Windstream, and Lumen, as well as telecom companies in dozens of other countries.
Update May 30, 03:23 EDT: Added Charter follow-up statement.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
