ShinyHunters claims Charter breach after pay-or-leak extortion threat

Charter Communications, the parent company of Spectrum, confirmed a cybersecurity incident after ShinyHunters listed the company in a pay-or-leak extortion campaign and threatened to publish stolen data.

What happened

According to Charter’s statement provided to BleepingComputer, the company became aware of the situation, activated its security protocols, and began alerting the appropriate authorities. Charter also said no sensitive personal information or customer proprietary network information, known as CPNI, was exfiltrated during the recent activity.

ShinyHunters gave a different account, claiming it breached Charter on April 1 through a vishing attack against an employee’s Microsoft Entra account, then used the access to export records from Charter’s Salesforce environment. The group claimed the stolen files included consumer and business customer names, email addresses, physical addresses, phone numbers, phone type, plan information, support ticket data, and some CPNI. Have I Been Pwned later added the Charter breach on May 28, 2026, reporting that 4.9 million accounts were affected.

What was said

According to the FBI’s warning on ShinyHunters, “ShinyHunters (SH) — which claimed the cyber-attack that caused the disruption—is a cyber criminal group specializing in large — scale data breaches and extortion. They target major companies across tech, finance, and retail, often stealing millions of customer records at once.”

Why it matters

The Canvas incident shows why pay-or-leak extortion has become a broader security risk. We reported on the incident in mid-May 2026 when ShinyHunters demanded payment from Instructure after breaching Canvas, a learning management system used across higher education.

Paubox’s 2026 Healthcare Email Security Report offers that 74% of breached domains had ineffective DMARC protection in 2025. Weak sender authentication makes it easier for attackers to impersonate trusted organizations, push urgent demands, and make fake messages look real. The risk is no longer limited to whether attackers encrypt systems.

FAQs

What is a pay-or-leak extortion campaign?

A pay-or-leak extortion campaign is a cyber extortion tactic where attackers steal data, demand payment, and threaten to publish or sell the data if the victim refuses to pay.

How is pay-or-leak different from traditional ransomware?

Traditional ransomware focuses on encrypting systems so an organization cannot access its files. Pay-or-leak extortion focuses on stolen data.

What is double extortion?

Double extortion happens when attackers encrypt systems and steal data in the same attack.