Breach Teardown

Telecommunications
2026

What Caused the Charter Communications Breach?

On April 1, 2026, a member of the ShinyHunters extortion group phoned a Charter employee and talked them into sharing credentials for a Microsoft Entra account. That single conversation gave the attackers a path into Charter’s Salesforce environment, where they exported millions of customer records and later published a large portion when no ransom was paid.

Scale
4.9M accounts confirmed (per HIBP); attackers claimed 40M+
Attack vector
Vishing for Entra credentials, then bulk Salesforce export
IAM domains implicated
Auth/SSO, Cloud, Security
Domino controls hit
0 of 3

The Incident

What Happened

Charter Communications, the operator of the Spectrum brand, confirmed a data breach in 2026 after ShinyHunters threatened to leak stolen customer data. According to reporting by BleepingComputer, the intrusion began on April 1 with a voice phishing call that persuaded an employee to share credentials for a Microsoft Entra account. From there the attackers reached Charter’s Salesforce instance and exported customer records in bulk.

ShinyHunters claimed roughly 40 million records. Have I Been Pwned, which received and processed the leaked data, confirmed about 4.9 million unique email addresses. The records included names, email and physical addresses, phone numbers, plan information, and some CPNI data. A subset of roughly 85,000 records came from an internal employee directory and included job titles.

Charter notified authorities and stated that no Social Security numbers or payment card data were taken. After a May 27 payment deadline passed, the attackers published at least 13 million of the stolen records.

Attack Chain

How the Attack Compounded

Each step below marks the AXIS control that failed at that point in the chain, where one applies. Steps without a control marker were outside the victim's direct span of control.

  1. An attacker calls a Charter employee, poses as a trusted party, and obtains credentials for a Microsoft Entra account.

    AUTH-04

  2. The shared credentials work. Whatever second factor existed did not stop an attacker who never touched a phishing page.

    AUTH-04

  3. The Entra identity reaches the Salesforce environment, where a single account can query millions of customer records.

    CLOUD-03

  4. Bulk exports of consumer and business records run to completion without behavioral intervention.

    SEC-03

  5. Extortion follows; when Charter declines to pay, at least 13 million records are published.

Control Mapping

The IAM Controls That Failed

Every failure point below corresponds to a control in the AXIS question bank, the same 3 controls a maturity assessment would have scored before this incident.

AXIS controls that failed in the Charter Communications breach, with domain, capability, and how each failed
ControlDomainCapabilityHow it failed here
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityCredentials a person can read out over the phone are credentials an attacker can use. Phishing-resistant factors (FIDO2, device-bound passkeys) have no shareable secret, which is the point: the Charter chain starts and ends with a spoken password.
CLOUD-03CloudSaaS Application Discovery & Shadow IT ControlSalesforce held tens of millions of customer records, yet the account that reached it could export at will. SaaS platforms holding regulated data need the same session, scope, and export controls as core systems, and governance over which identities can pull bulk data.
SEC-03SecurityUser Behavioral Analytics (UBA)Exporting millions of CRM records is not normal behavior for any single employee account. Behavioral analytics tuned to volume and pattern anomalies in SaaS activity would have had a loud signal to act on.

The Maturity Lesson

What Would Have Changed the Outcome

The Domino Effect

No malware, no exploit, no zero-day. One employee, one phone call, one over-reaching SaaS session. The AXIS model treats phishing-resistant authentication and SaaS governance as separate controls because they fail separately: strong MFA without SaaS export governance still leaks the CRM, and tight Salesforce policy without phishing-resistant factors still falls to the next convincing phone call.

The Maturity Level That Mattered

At level 3 on AUTH-04, workforce authentication uses phishing-resistant factors for access to systems holding customer data, so a disclosed password is useless on its own. At level 2 or higher on CLOUD-03, high-value SaaS platforms sit behind SSO with conditional access, and bulk-export capability is restricted to a small, monitored set of roles.

The pattern to assess for: every vishing-era breach traces to a human transaction the technology permitted. Ask which systems an attacker reaches with one employee’s spoken credentials, and whether anything watches what that session does next.

Related Compliance Frameworks

The controls implicated in this breach carry citations in these frameworks within the AXIS bank:

Sources

About This Analysis

This teardown is based exclusively on public disclosures, regulatory findings, and reporting cited above; it makes no claim of insider knowledge about the internal environment at Charter Communications. Control mappings express how the publicly documented failure points correspond to capabilities in the AXIS methodology, for educational purposes. AXIS is not affiliated with Charter Communications.

Would Your Program Have Caught This?

The 3 controls that failed here are questions in the AXIS assessment. Score your organization against them, and the rest of the bank, in about 20 minutes. No signup required to start.