In partnership with
In a breach, time is the enemy; focus is the weapon.
A single person with the right access…
That’s all it took for the ShinHunters hacking group to exploit Charter Communications in a recent (April 2026) security breach.
ShinyHunters used vishing (voice phishing) to call a Charter employee, impersonate a trusted party, and convince them to hand over credentials or approve an access request.
Entry point: Microsoft Entra (Azure AD) — one employee's identity account
Pivot: From Microsoft Entra into Charter's Salesforce environment, where customer data lived (accessible via single sign-on)
Exfiltrated: Customer and business contact records from Salesforce, including support ticket history
After exfiltrating the data, ShinyHunters listed Charter on their leak site and ran a classic "pay or we publish" campaign.
Charter was given a ransom deadline of May 27, 2026
Charter did not pay
ShinyHunters published the data shortly after the deadline passed
Shinyhunters is a financially motivated criminal group active since 2019–2020 that has stolen and sold data from hundreds of millions of accounts across dozens of companies. They're known, profiled, and still operating.
Their Hit List (Notable Breaches)
Tokopedia — 90+ million records (2020)
Wattpad — 250 million records (2020)
Microsoft GitHub — private code repo access (2020)
AT&T (via Snowflake ecosystem, 2024) — 73 million records
Ticketmaster (Snowflake, 2024) — 560 million records claimed
Charter Communications — 4.9M individuals / 40M+ records claimed (2026)
They were a group that started exploiting systems - the technical vulnerabilities. Now they pivoted into an easier method by attacking human trust and poor training.
With the advancements in AI, these organizations are able to speak like the people they are impersonating and be convincing through the vast amounts of information we provide on social media - everyday.
The CIO Angle
There are a few main take-aways from this breach that can affect both large and small companies.
The attackers didn’t “hack” an unpatched system. They simply called an employee and convinced them to take action. The “convincing” part used to take skilled people and a lot of research. Now it can be done by anyone with the right AI tools. AI is a huge threat that is going to make social engineering even more lucrative for bad actors.
They didn’t get “admin” access. They got one account that was tied to a customer database. Hackers don’t always need elevated permissions to do damage. They simply need to harvest information that is valuable to your organization, and for most companies that information is readily available by most employees to do their job. In today’s environment, getting account access typically means you can get access to most enterprise apps through a convenience feature called “single sign-on”.
A big underserved part of many breach plans is the PR angle. Most plans only address the chain-of-command when it comes to IT containment and remediation. But, what happens when the clock is ticking and you need to control the narrative with your customers and your shareholders? Who is responsible? How quickly can you analyze the situation and be decisive?
The list of breaches that made the news should open your eyes, but those are only the breaches that you know about. The breaches that didn’t make the news are the one’s you should worry about. Those are the private companies that either paid the ransom or were dealt a devastating blow. For the mid-market CIO, your next step should be to understand and plan for the growing threat around your “everyday data”. You need to think like a thief and rally your entire executive team around a plan that balances convenience and accessibility for your employees. The CIO needs to be leading the discussion on breach readiness and response.
Until next week,
—Jared
Text Me: 314.806.3912
How To Support Me
Let me send this directly to your inbox every week, subscribers also receive special events and downloads that I don’t publish anywhere else. I enjoy your feedback and respond to every email.
Claude is not just a chatbot anymore. Is your security team ready?
Claude.ai is one thing. Claude Cowork with MCP connections, running agentic workflows, taking actions across your data with ungoverned skills? That is a different conversation entirely, and most security teams are not equipped to govern it.
Harmonic Security is built to secure everything Claude offers. Full browser controls for Claude.ai, deep governance over agentic MCP workflows, and real-time visibility into what Claude is doing across your organization. So your CISO can say yes to the tools your business is already demanding.
