Charter customer data leak after vishing-led Salesforce access

Attackers used **vishing** to compromise a **Charter Communications** employee's **Microsoft Entra** account, reach the company's **Salesforce** environment, and steal customer data in early April. Available material ties the intrusion and the later public leak to **ShinyHunters**, with the leaked dataset appearing after ransom demands were rejected. The confirmed public exposure covers **4.9 million accounts** and includes names, email addresses, phone numbers, physical addresses, and a smaller employee-directory subset with job titles. The incident record and the leak record describe the same sequence: initial account compromise, access to cloud records, and later publication of stolen data. The actor claimed to have taken **42 million records** from Charter's Salesforce instance, but available evidence firmly confirms the leaked set at **4.9 million accounts** rather than the larger claim. The exposed data spans consumer and business customer information, increasing the risk of follow-on phishing, account abuse, and identity misuse. Charter said it is alerting authorities and following security protocols, and it disputed parts of the actor's theft narrative by saying no sensitive personal information or **CPNI** was exfiltrated in the recent activity. That leaves the current picture as a confirmed large customer-data leak with a still-contested full exfiltration scope. No software vulnerability is identified in the available material; the known access path is social engineering against identity access that led to SaaS data exposure.