ShinyHunters published Charter Communications — the second-largest US cable operator, operating as Spectrum — to its extortion leak site on May 23, 2026, claiming possession of 42 million records and setting a May 27 deadline for the company to open ransom negotiations or face public data release.
Charter Confirms Investigation as ShinyHunters Sets 42-Million-Record Deadline
Charter issued a brief statement confirming it “is investigating the incident and coordinating with authorities.” The company also stated that “no sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor,” without providing further detail on what type of data may have been accessed. Charter said it is following established security protocols.
The combination of 42 million claimed records and a hard public disclosure deadline places Charter under immediate pressure. ShinyHunters has a documented pattern of following through on data publication threats when negotiations do not materialize — most recently in April 2026, when the group published data covering several organizations collectively totaling tens of millions of records.
ShinyHunters’ Salesforce Experience Cloud Exploitation Campaign
Charter’s listing is part of a broader ShinyHunters operation targeting organizations using Salesforce Experience Cloud. Researchers tracking the campaign describe ShinyHunters as exploiting overly permissive guest user configurations and Salesforce Aura misconfigurations — using a weaponized version of Google’s AuraInspector developer tool to scan for and exploit misconfigured Salesforce instances. The campaign has been active since March 2026 and has claimed between 300 and 400 organizations.
The Salesforce misconfiguration vector is distinct from a software vulnerability in Salesforce’s platform: organizations whose Salesforce software is fully patched can still be compromised if guest user permissions are configured too permissively. Salesforce published a security advisory on March 7, 2026 warning of the exploitation pattern.
What 42 Million Records Could Mean for Charter’s Customer Base
Charter operates as Spectrum and has approximately 32 million customer accounts. If the 42 million record count reflects current and former customer data, the breach would represent one of the largest US telecommunications data exposures on record. The scope of data in a telecommunications CRM — customer names, addresses, phone numbers, account histories, service records — means the potential regulatory and notification obligations are substantial depending on what the investigation confirms was accessed.
The May 27 Deadline and ShinyHunters’ Extortion Timeline
ShinyHunters’ use of hard public leak deadlines is a consistent tactical element of the group’s operations. The deadline creates pressure within a defined window: if Charter does not negotiate by May 27, the group has committed to publishing the data. That pattern — seen previously against multiple organizations in the same Salesforce campaign — gives affected companies minimal time to conduct forensic triage, consult legal counsel, and make remediation decisions before the deadline forces a public outcome.
Charter’s brief statement suggests the company is in the early stages of coordinating its response and has not publicly committed to a course of action ahead of that date.
