Charter Communications Data Breach Exposes 4.9 Million Accounts via ShinyHunters

ShinyHunters — the prolific cybercriminal extortion gang responsible for dozens of high-profile database thefts — has stolen personally identifiable information (PII, meaning any data that can identify a specific individual) from 4.9 million Charter Communications customers, the company behind the Spectrum internet and cable brand. The breach occurred in early April 2026 and was publicly disclosed on May 28–29, 2026, after Troy Hunt added the dataset to Have I Been Pwned (HIBP), the free breach-notification service that lets individuals check whether their email address appears in known data theft incidents. BleepingComputer first reported the full scope of the incident.

// 01 ShinyHunters Charter Communications: What Was Stolen

The dataset posted by ShinyHunters to BreachForums — the primary dark-web marketplace (an invitation-only criminal forum operating on Tor) where stolen data is auctioned and distributed — contains the following fields for each of the 4.9 million affected accounts:

• Full legal names
• Email addresses
• Phone numbers
• Physical street addresses
• Dates of birth
• Partial account numbers (last four digits only)
• Service subscription details (which Spectrum products the customer holds — internet, TV, mobile, or bundled plans)

Charter Communications confirmed that the following categories of data were not exposed: passwords, Social Security numbers (SSNs — the US government-issued nine-digit identifiers used for financial and identity verification), and full payment card numbers. The absence of credentials and financial data reduces the immediate risk of direct account takeover and payment fraud, but the combination of full name, date of birth, physical address, phone number, and email creates a high-quality dossier for targeted social-engineering attacks (manipulating victims into revealing further information or granting access), SIM-swapping (convincing a mobile carrier to transfer a victim's phone number to an attacker-controlled SIM), and phishing campaigns.

// 02 How ShinyHunters Breached Charter Communications

ShinyHunters claims the data was obtained through a third-party vendor compromise — meaning attackers did not penetrate Charter's own core infrastructure directly, but instead targeted a contractor or service provider with legitimate access to Charter customer data. This attack vector (the path an attacker uses to reach a target) is consistent with the group's established methodology; several of their largest prior breaches exploited cloud storage misconfigurations or vendor-side credential theft rather than frontal network intrusion.

Charter Communications issued a statement acknowledging "unauthorized access" to customer data and confirmed the company is working with external cybersecurity experts and law enforcement. The company has not publicly named the third-party vendor involved, nor has it disclosed the technical mechanism — whether a stolen credential, an unpatched vulnerability in the vendor's systems, or a misconfigured cloud storage bucket — that allowed the intrusion.

The sequence from intrusion to public disclosure unfolded over roughly seven weeks:

// 03 Who Is Affected

Charter Communications serves approximately 32 million subscribers across the United States under the Spectrum brand. The 4.9 million records stolen represent roughly 15 percent of that subscriber base. Affected users are spread across all Spectrum service lines — residential internet, cable TV, Spectrum Mobile (the company's MVNO, or Mobile Virtual Network Operator — a carrier that runs on another provider's physical network), and bundled accounts.

HIBP notified affected email addresses directly on or around May 28–29, 2026. Users who have not checked HIBP yet but subscribe to Spectrum should treat their personal details as potentially exposed regardless of whether they received a notification email, since notification delivery depends on having a verified email address registered with HIBP.

Customers who use their Spectrum email address as a primary contact or recovery address for other accounts face compounded risk: an attacker with their full name, address, date of birth, and that email address has enough context to attempt password-reset flows on banking, healthcare, and government portals.

// 04 What You Should Do Right Now

• Check Have I Been Pwned. Visit haveibeenpwned.com and enter every email address associated with your Charter/Spectrum account. HIBP will confirm whether your address appears in this specific dataset or any other known breach corpus.

• Enable multi-factor authentication (MFA) on all critical accounts. MFA adds a second verification step beyond a password — typically a time-based one-time code (TOTP) from an authenticator app. Prioritize email, banking, and telecom accounts. An app-based authenticator (Google Authenticator, Authy, or a hardware key like YubiKey) is significantly stronger than SMS-based MFA, which is vulnerable to SIM-swapping.

• Watch for SIM-swap attempts. Contact your mobile carrier and request a SIM-lock or port-freeze — a security note requiring in-person ID verification before your number can be transferred to a new SIM. This directly counters one of the most effective attacks enabled by the exposed data type.

• Be skeptical of inbound contact using your exposed details. Attackers who purchase or obtain this dataset will use it to craft convincing phishing calls and emails that reference your correct name, address, or partial account number to appear legitimate. Any unsolicited contact from "Spectrum support" requesting credentials, payment updates, or remote access should be treated as suspect.

• Place a credit freeze with the three major bureaus. A credit freeze (also called a security freeze) prevents new lines of credit from being opened in your name without your explicit unfreeze. Contact Equifax, Experian, and TransUnion directly. The freeze is free under US federal law.

• Monitor your Charter account for unauthorized changes. Log in to your Spectrum account and review the contact details, service plans, and payment methods on file. Any unfamiliar change — particularly a phone number or email address you did not set — may indicate account takeover activity.

// 05 Background: ShinyHunters and the BreachForums Ecosystem

The ShinyHunters Charter Communications incident is the latest in a long series of large-scale data thefts attributed to this group, which has operated since at least 2020. Their known victim roster includes:

• Ticketmaster / Live Nation (2024): 560 million records — one of the largest consumer data breaches on record
• AT&T (2024): 73 million records containing customer account data and passcodes
• Santander Bank: employee and customer data across multiple countries
• Snowflake customers (2024): dozens of enterprises whose Snowflake (a cloud data-warehousing platform) instances lacked MFA — ShinyHunters used stolen credentials to access client environments including AT&T and Advance Auto Parts
• ADT: customer information from the home-security provider — ShinyHunters used an Okta SSO vishing attack to breach ADT and expose 5.5 million customers
• Medtronic: ShinyHunters claimed 9 million records from the medical device manufacturer
• Medibank (Australia): 9.7 million health insurance customer records, including sensitive medical claim data

ShinyHunters operates primarily through BreachForums, the successor to RaidForums (seized by the FBI in 2022). BreachForums itself was seized by law enforcement in May 2024, but re-emerged under new administration and continues to function as the primary venue where the group lists stolen data. The BreachForums infrastructure and its revolving administrators have proven resilient to takedowns, with the community migrating domains and onion addresses after each law-enforcement action.

The group's consistent methodology — targeting third-party vendors, cloud storage misconfigurations, and Snowflake-style credential-based access — means that large enterprise networks with complex vendor ecosystems remain the highest-risk targets. The Charter breach reinforces a pattern: even organizations that maintain strong perimeter security can lose customer data through a supplier that has weaker controls.

// 06 Conclusion

ShinyHunters has confirmed its position as the most consequential data-theft actor currently operating, and the Charter Communications breach adds 4.9 million consumer records to an already massive portfolio of stolen PII. While the absence of passwords and financial data limits some direct-fraud scenarios, the richness of the exposed dossier — name, date of birth, full address, phone, email, and account metadata — gives attackers actionable material for identity fraud, SIM-swapping, and social-engineering campaigns at scale.

Affected Spectrum customers should act immediately: check HIBP, lock down MFA, freeze credit, and apply port-locks on mobile accounts. Security practitioners should treat this incident as a continued reminder that third-party vendor risk management and MFA enforcement across all customer-data-adjacent systems are not optional hardening steps — they are the primary controls standing between a vendor credential and a nine-figure breach disclosure.

See our coverage of the ADT breach via ShinyHunters Okta vishing and the Medtronic ShinyHunters incident for related analysis on this group's evolving tactics.