leaksear.ch has indexed a nearly 85,000-record Charter Communications dataset tied in the metadata to an April 1, 2026 Salesforce exfiltration attributed to ShinyHunters (leaksear.ch metadata). Public reporting describes the broader incident as a Charter extortion listing after an alleged vishing compromise, while Charter confirmed it was aware of an incident and said no sensitive PI or CPNI was exfiltrated (bleepingcomputer.com).
What happened
Charter Communications operates the Spectrum brand and reported 31.7 million customer relationships and 29.6 million Internet customers as of March 31, 2026 (corporate.charter.com). BleepingComputer reported on May 26, 2026 that Charter confirmed an incident after ShinyHunters listed the company on its data leak site, with the group claiming it stole customer records from Charter's Salesforce instance after an April 1 vishing attack against a Microsoft Entra account (bleepingcomputer.com). Charter did not confirm the threat actor's claimed scale or data categories, and referred BleepingComputer back to its statement denying exfiltration of sensitive PI or CPNI (bleepingcomputer.com).
The alleged access path is consistent with broader ShinyHunters-branded SaaS data theft activity documented by Google Threat Intelligence and Mandiant in January 2026, where actors used vishing and credential-harvesting sites to obtain SSO credentials and MFA codes before exfiltrating data from cloud applications. Google said that activity was not the result of a security vulnerability in vendor products or infrastructure (cloud.google.com).
Public counts for the wider Charter leak vary by source and counting method. Have I Been Pwned lists 4.9 million affected accounts and says the published data exposed names, emails, phone numbers, physical addresses, and about 85,000 internal employee directory records with job titles (haveibeenpwned.com). Cybernews separately estimated at least 13 million individuals, nearly 10 million support ticket records, and nearly 27,000 employee records, while noting that ShinyHunters' 42 million-record claim may include duplicates (cybernews.com). The leaksear.ch count covered here is the indexed 84,818-record subset, not a claim about the full public leak (leaksear.ch metadata).
What data was exposed
According to the leaksear.ch indexing metadata, searchable fields in this 84,818-record subset include names, email addresses, phone numbers, addresses, and country values (leaksear.ch metadata). The dataset description ties the records to customer and business contacts, sales and CRM cases, support tickets, and the internal Spectrum employee directory (leaksear.ch metadata).
The same metadata lists additional stored fields that are not direct search pivots, including business unit, department, desk phone, location code, management area, preferred name and preferred last name, title, UUID, image path references, and related profile or application fields (leaksear.ch metadata). HIBP's public breach entry also lists emails, job titles, names, phone numbers, and physical addresses as compromised data categories for the broader Charter breach (haveibeenpwned.com).
Why this matters
Even without passwords or payment card data in the indexed fields, names, addresses, phone numbers, job titles, departments, and business context can help attackers craft convincing phishing or vishing attempts (leaksear.ch metadata). That risk is especially relevant because the broader ShinyHunters-branded activity tracked by Google/Mandiant centers on social engineering, SSO credential theft, and SaaS data exfiltration (cloud.google.com). For Charter customers, business contacts, and Spectrum employees, the most practical concern is targeted impersonation and account-recovery abuse, especially if this data is combined with credentials from other breaches. Readers who want to check whether they appear in this leak should search their email, phone, name, address, or country on leaksear.ch.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, and phone.
Sources
- BleepingComputer: Charter confirms data breach after ShinyHunters extortion threat
- Have I Been Pwned: Charter Data Breach
- Cybernews: Inside the Charter data breach: hackers leak 13M+ customer data
- Charter: Charter Announces First Quarter 2026 Results
- Google Cloud: Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft