sekura

Charter breach exposes 13 million Spectrum customers

ShinyHunters used a vishing call to compromise one employee's Microsoft Entra account and bulk-export 13 million Spectrum customer records from Salesforce. No CVE. No scanner would have caught it.

Charter Communications confirmed last week that a voice phishing call gave ShinyHunters enough access to export records tied to at least 13 million Spectrum customers.

The incident started on April 1, 2026. ShinyHunters placed a call to a Charter employee and socially engineered their way to valid credentials. That yielded an authenticated Microsoft Entra account. With it, the group accessed Charter's Salesforce instance and ran bulk data exports. Names, email addresses, phone numbers, home addresses, service plan details, and support ticket histories came out in the export. Charter confirmed the breach after ShinyHunters threatened to release the data unless a ransom was paid.

BleepingComputer reported that ShinyHunters claimed 42 million records total. Cybernews independently analyzed the leaked dataset and confirmed exposure for more than 13 million individuals, with roughly 27,000 employee records also present. Have I Been Pwned registered 4.9 million unique email addresses from the same set. Charter stated that no passwords and no payment information were included, and it contested that customer proprietary network information was in the export.

Two things are worth examining in the reporting.

What scanners would have missed

The attack produced no CVE. There was no memory corruption, no injectable field, no outdated library with a patch. ShinyHunters handed off a credential and made a legitimate API call. That attack surface does not appear in a scanner report.

Consider what a DAST tool sees when pointed at Charter's perimeter. It probes public endpoints without credentials. The Salesforce export API sits behind authentication. Without a valid session, the scanner cannot reach it. Without reaching it, it cannot ask what data comes back when an authenticated user calls the bulk export endpoint.

A SAST tool reads source code. Charter's customer data lives in Salesforce, a SaaS product. There is no custom code to analyze. The over-permissioned export was a configuration setting in Salesforce, not a bug in compiled logic.

SCA checks third-party library dependencies for known vulnerabilities. ShinyHunters did not exploit a library. They used a legitimate credential to call a legitimate API.

CVSS is not applicable here. There is no CVE to score. The Salesforce export permission that allowed any authenticated employee to download a table of 13 million customer records is not a vulnerability in the CVE taxonomy. It is a configuration choice. The CVSS model has no field for blast radius per compromised account. A scanner that scores everything by CVE will not surface a misconfiguration that only becomes visible from an authenticated session.

What Sekura would have shown

Phase 3 of Sekura's pipeline is dynamic probing. An agent operating with credentials equivalent to a standard employee account probes every authenticated endpoint available from that session, including the Salesforce API surface.

The specific finding Sekura would have produced: a single employee-class Salesforce session can invoke the bulk export endpoint and retrieve the full customer contact table with no additional authorization challenge. Dynamic probing walks the authenticated API surface systematically, calling endpoints and recording what data the server returns.

The finding would contain these items:

  1. Endpoint: Salesforce bulk export API, accessed as Employee role session.
  2. Data returned: full name, email, phone, home address, service plan, support ticket history.
  3. Estimated scope: full customer table accessible from any valid employee session.
  4. Blast radius: one socially engineered employee account reaches the entire customer dataset.
  5. Exploit chain: vishing or phishing to account takeover to bulk API call. No privilege escalation required.

We would not report this with a CVSS score. We would attach a partial export as a proof artifact. The proof changes the conversation. A severity label on a scanner report does not tell you that one phone call from an attacker reaches 13 million records. A working export showing real field names does.

sequenceDiagram participant Attacker participant Employee as Charter Employee (Entra) participant SF as Salesforce Export API participant DB as Customer Table Attacker->>Employee: vishing call, harvests credentials Employee->>SF: authenticated session established SF->>DB: no additional authz check on bulk export DB-->>Attacker: 13M+ customer records exported

The bigger pattern

Charter is the third major US organization in the past two quarters where ShinyHunters moved from a single compromised identity to a SaaS bulk export without triggering an automated control. The pattern is consistent: a phone call or phishing email yields an authenticated cloud account, the account has access to a SaaS platform, and the SaaS platform has an export API with no per-session volume alert or rate limit.

This is an identity-first attack class. I think the gap that matters is not in your firewall or your application code. It is between your identity provider's authentication log and your SaaS platform's data access log. Those two logs are rarely correlated in real time. By the time an analyst sees an anomalous export event, the data is already staged for exfiltration.

The dominant attack surface in 2026 is not exploitable memory. It is over-permissioned SaaS access sitting behind an identity provider that a skilled social engineer can breach with a phone call.

If you want to see what an authenticated API surface looks like from an attacker's session, book a POC.