ShinyHunters Extorts Charter and ZenBusiness After SaaS Account Breaches
Charter Communications confirmed a data breach after ShinyHunters threatened to leak allegedly stolen data, with the group claiming it accessed the company on April 1 through a voice-phishing attack that compromised an employee's Microsoft Entra account and opened a path into Charter's Salesforce environment. The attackers said they stole 40 million customer records, including names, contact details, plan information, support ticket data, and some customer proprietary network information, while Charter said it notified authorities and, based on the data published, no sensitive personal information or CPNI was exfiltrated.
The Charter incident follows a broader ShinyHunters extortion campaign targeting enterprise single sign-on accounts and connected SaaS platforms, especially Salesforce. In a separate case, the group claimed it stole several terabytes of data from ZenBusiness via platforms including Salesforce, Snowflake, and Mixpanel, and threatened to publish the data unless the company responded. Reporting also linked the campaign to claims involving Ameriprise Financial, Infinite Campus, Bumble, Hinge, Match, OkCupid, Mercer Advisors, Beacon Pointe Advisors, and attacks affecting Instructure's Canvas platform, underscoring a repeatable pattern of social engineering, SaaS data theft, and leak-site extortion.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters publishes stolen Charter data
In May 2026, ShinyHunters published data stolen from Charter Communications as part of its pay-or-leak campaign. The leaked dataset reportedly exposed 4.9 million unique email addresses with associated names, phone numbers, and physical addresses, plus about 85,000 internal employee directory records including job titles.
Charter confirms breach after ShinyHunters extortion threat
Charter Communications confirmed a data breach after ShinyHunters threatened to leak allegedly stolen data unless a ransom was paid. Charter said it notified authorities and stated that, based on the information published, no sensitive personal information or customer proprietary network information was exfiltrated.
ShinyHunters allegedly compromises Charter via vishing and accesses Salesforce
ShinyHunters claimed it gained access to Charter Communications on 2026-04-01 through a voice phishing attack that compromised an employee's Microsoft Entra account. The group said this access enabled data export from Charter's Salesforce environment.
ShinyHunters posts ZenBusiness breach claim and leak ultimatum
ShinyHunters claimed responsibility for a breach of ZenBusiness and threatened to leak several terabytes of allegedly stolen data unless the company responded by 2026-03-25. The group said the data was exfiltrated through platforms including Snowflake, Mixpanel, and Salesforce, and posted the claim on the dark web.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
ShinyHunters Leaks Charter Communications Data, Potentially Impacting 5 Million Customers
securityaffairs.com
Open sourceShinyHunters adds Charter to trophy shelf after 4.9M customer records leak
theregister.com
Open sourceCharter Communications data breach affects 4.9 million accounts
bleepingcomputer.com
Open sourceHave I Been Pwned: Charter Data Breach
haveibeenpwned.com
Open sourceShinyHunters extorts Charter Communications after data breach | brief | SC Media
scworld.com
Open sourceCharter confirms data breach after ShinyHunters extortion threat
bleepingcomputer.com
Open source'This is a final warning': Hackers say they'll leak "several terabytes" of ZenBusiness data | TechRadar
techradar.com
Open sourceHackers threaten Mark Cuban-backed firm with major data leak | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
May 6, 2026
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
May 2, 2026
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026