Soon after Charter Communications confirmed that attackers had accessed millions of customer records, including names, email addresses, phone numbers, plan data, and support ticket content, all pulled from a Salesforce environment, and a May 27 response deadline passed, attackers appear to have published the trove of data they exfiltrated.
ShinyHunters claimed responsibility for the attack, and the successful vector reportedly involved a voice phishing call that compromised a Microsoft Entra account belonging to a Charter employee.
Shortly after the deadline passed without resolution, ShinyHunters published what it claims is the Charter dataset on its dark web blog, citing the company's failure to engage. Charter has not confirmed or responded to the publication, and its earlier statement that no sensitive personal information was exfiltrated remains the company's only public position.
This attack reflects how these campaigns often operate: the attackers post the data listing, set an extortion deadline, and wait while the target organization manages the legal, communications, and law enforcement dimensions simultaneously. The pressure compounds. The public narrative becomes contested. The data, regardless of what any official statement says, hits circulation following an unresolved deadline.
"This incident highlights how SaaS ecosystems have become one of the most overlooked parts of the modern attack surface,” said Dale Hoak, CISO at RegScale, a continuous controls monitoring platform provider. “Organizations often apply rigorous security controls to core infrastructure while cloud business platforms quietly accumulate excessive permissions, legacy integrations, service accounts, and years of sensitive operational data with far less scrutiny."
Ransomware attacks, overall, seem to be on the rise in 2026. Analysis from cybersecurity and business resilience firm NCC Group, in its most recent Cyber Threat Intelligence Report, finds ransomware activity stayed high throughout April 2026, despite a modest month-on-month decline. With 748 ransomware listings worldwide in April, NCC Group estimates a 7% decrease compared to March. Notably, NCC Group’s analysis found ransomware activity in 2026 operating at a higher baseline than much of 2025, reflecting the growing scale and maturity of the ransomware-as-a-service (RaaS) ecosystem, the company said.
Related:
George V. Hulme
Bill Brenner
One Playbook, Dozens of Victims
There’s certainly been a spike in ShinyHunter activity this year. The group claimed at least eight major breaches in April, including Medtronic, ADT, Amtrak, Pitney Bowes, and Vimeo. Baker Distributing and DentaQuest followed in May. In mid-May, the FBI issued a public service announcement specifically addressing the group's attacks on learning management systems.
These intrusions are threaded by consistent tradecraft. Attackers compromise an identity provider, such as Microsoft Entra or Okta, typically through social engineering targeting help desk or support personnel. “Help desks and service desks continue to be the target, because the help desk deals with sensitive business transactions, such as credential management, and account lockouts, and are trained and measured on being helpful. The help desk agents themselves are put in an impossible position that no amount of security training will resolve,” Keith Stewart, CEO at social-engineering detection startup, Humanix, said.
“I used to work the help desk,” Andrew Chipman, GRC lead analyst at cybersecurity and compliance consulting firm ProCircular, added. “Now I consult for security teams. The common theme I see with security controls, especially permission levels, breaking down is that a human went around them. It is not because the help desk staff is uneducated or unaware of security risks. Instead, it is because an irate executive calls and tells them to get it done or else,” he stressed.
Following a successful social engineering attempt, the attackers then establish persistence, often through MFA manipulation. They move laterally via SSO-connected applications and locate the Salesforce environment. They extract what's there. The technique does not rely on zero-days. It exploits the gap that persists between identity security programs and SaaS security governance. That’s two disciplines that most enterprise security programs still treat as adjacent rather than integrated.
Obsidian Security, which published an analysis of ShinyHunters' 2026 voice phishing campaign methodology, documented this pattern across multiple intrusions. The entry points vary; the structural gap being exploited does not.
ShinyHunters Isn't the Only Threat Running
ShinyHunters' activity is running in parallel with a robust ransomware ecosystem. For instance, Dragonforce posted more than 20 new victims during the 48-hour window between May 25 and 27, targeting small- to midsize businesses across Europe and North America. Qilin, which analysts at Quorum Cyber and CybelAngel have described as aligning with both Dragonforce and a reconstituted LockBit in a ransomware cartel structure, claimed Hamister Group and Semgrep around the same period. Akira, Play, and Incransom maintained steady posting cadences across construction, healthcare, and professional services verticals.
That all paints a picture of mature, parallel criminal operations working different seams of enterprise architecture simultaneously. ShinyHunters concentrates on the identity-to-SaaS path. Ransomware groups concentrate on endpoint-to-data paths. Both are succeeding with consistency.
The Structural Question Enterprise Security Programs Need to Answer
The FBI's guidance? It’s to not pay ransoms, verify contact requests, and report such incidents to IC3. That’s sound advice, but it does not address the question that security leaders should be examining now: why does the seam between a call designed to socially engineer the security of privileged credentials away and a cloud provider translate into large-scale SaaS data exposure across organizations of this scale and resources?
The Charter breach attack vector was a vishing call. The downstream impact was the reported pulling of 42 million records from Salesforce. The distance between those two events: a single compromised identity and a full SaaS data pull, reflects a control architecture that has not kept pace with how enterprise data flows today. Detecting identity compromise after authentication is a problem. Containing SaaS exposure before exfiltration is a problem. Both require deliberate investment in programs, and both remain underdeveloped relative to the threat.
In our next story, we’ll detail what steps organizations and platform providers should take to better minimize their risks, as it’s just a matter of time before a new extortion deadline hits the headlines.
Attend CYBR.SEC.CON:
