Charter Communications: ShinyHunters Vishing SaaS Extortion

Charter Communications confirmed on May 26, 2026 that 40 million customer records were stolen after a ShinyHunters vishing attack compromised an employee's Microsoft Entra account on April 1. The breach is one of more than 400 confirmed compromises tied to the group's 2026 SaaS extortion campaign, which has now reached telecom, education, healthcare, retail, and financial services across 13 sectors. Mandiant and Google's Threat Intelligence Group are tracking the activity across three clusters: UNC6661 and UNC6671 for initial access, and UNC6240 for post-intrusion extortion.

What Happened

On April 1, 2026, a Charter employee received a vishing call from an attacker impersonating internal IT support. The caller walked the target through entering credentials on a fake single sign-on portal, which captured the employee's Microsoft Entra credentials and live MFA approval in real time. With a valid session token in hand, the attackers pivoted into Charter's Salesforce instance and exported millions of consumer and business records over the following hours.

Charter detected the activity after ShinyHunters issued a 72-hour ransom demand threatening full public disclosure of the dataset. The company publicly confirmed the breach on May 26, 2026, almost two months after the initial compromise. The intrusion fits the pattern Mandiant has documented across the broader 2026 campaign: no software exploit, no malware deployment, just a phone call and a credential harvesting page that bypasses push-based and SMS MFA.

What Was Taken

ShinyHunters exfiltrated approximately 40 million Charter Communications customer records from the Salesforce environment. Stolen data includes:

• Customer names, residential and business addresses, and phone numbers
• Active service plan and account configuration data
• Customer Proprietary Network Information (CPNI), a category protected under FCC regulations
• Business account contact and billing identifiers

The Charter dataset sits inside a much larger 2026 haul. ShinyHunters separately exfiltrated 275 million education records from Canvas/Instructure across 330 institutions on May 7, 2026. Across the campaign, more than 400 organizations have been confirmed compromised, with stolen data staged for sequential extortion against each victim under the group's standard 72-hour deadline.

Why It Matters

Charter is the second-largest cable operator in the United States, and CPNI exposure carries direct regulatory weight under FCC rules. Beyond the regulatory exposure, the breach validates a thesis defenders have resisted operationalizing: identity is the perimeter, and that perimeter is being defeated by phone calls. Every confirmed 2026 ShinyHunters breach began with vishing, not a CVE. Software patching, EDR coverage, and network segmentation provided no meaningful defense because no software was exploited and no malware was deployed.

The campaign also signals that SaaS data stores, especially Salesforce, are now the primary target for extortion-grade data theft. Attackers no longer need domain admin on a corporate network when a single help-desk-grade Entra or Okta session unlocks tens of millions of records through legitimate export APIs. Organizations relying on push-based or SMS MFA as their last line of defense are operating against an adversary that has built tooling specifically to defeat both.

The Attack Technique

The ShinyHunters chain executes in five phases:

1. Reconnaissance. UNC6661 or UNC6671 operators identify target employees through LinkedIn, public org charts, and prior data leaks, building a script tailored to internal IT support language.
2. Vishing. The operator calls the employee, impersonates IT support, and references a fabricated account or MFA issue requiring immediate reauthentication.
3. Adversary-in-the-middle credential capture. The target is directed to a lookalike SSO portal that proxies the legitimate Okta or Microsoft Entra login, capturing the password and harvesting the session token after the user approves the MFA prompt.
4. SaaS data exfiltration. Using the stolen session, attackers authenticate to integrated SaaS platforms, most often Salesforce, and use legitimate export tooling to pull bulk customer records.
5. Extortion. UNC6240 takes over, issuing a 72-hour ransom demand with samples of the stolen data and threatening public release on leak infrastructure if payment is not received.

The technique deliberately avoids endpoint malware, bypassing EDR entirely, and leans on the fact that most SaaS audit logging treats a valid session token as a trusted user.

What Organizations Should Do

1. Enforce phishing-resistant MFA. Replace push and SMS MFA with FIDO2 security keys or platform passkeys for all workforce identities, prioritizing privileged and SaaS-admin accounts.
2. Restrict Salesforce and SaaS bulk export. Require step-up authentication for Data Loader, Bulk API, and report export operations. Alert on any export exceeding normal volume thresholds.
3. Harden the help desk. Mandate callback verification through a known internal directory before any password or MFA reset. Train staff to refuse credential-reset requests initiated by inbound calls.
4. Monitor for session token abuse. Hunt for impossible-travel logins, new device registrations, and Okta or Entra session reuse from unfamiliar ASNs. Cut session lifetimes for high-risk roles.
5. Run vishing tabletop exercises. Treat voice-based social engineering as a primary attack vector in red team scopes. Most awareness programs still over-index on email phishing.
6. Inventory SaaS data exposure. Identify which SaaS tenants hold regulated data (CPNI, PII, PHI, student records) and apply IP allowlisting, conditional access, and DLP controls at the application layer.

Sources: ShinyHunters Vishing SaaS Extortion: Charter Breach