ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil

UPDATE (originally covered 2026-05-24 / 2026-05-25): Charter Communications (Spectrum) has confirmed it was breached after ShinyHunters listed it and threatened to leak data; Charter notified law enforcement but states that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated — disputing the actor's claim of 42 million records (BleepingComputer, 2026-05-26; CyberInsider, 2026-05-23). ShinyHunters claims initial access on 1 April 2026 via vishing that compromised an employee Entra account, then bulk-exported customer records from Charter's Salesforce CRM.

Separately, 7-Eleven confirmed its ShinyHunters incident affects roughly 185,000 individuals; BleepingComputer reports the exposed fields as names, dates of birth, email addresses, phone numbers and physical addresses (describing the affected as franchisee-document holders) (BleepingComputer, 2026-05-26), while CyberInsider additionally reports Social Security numbers and driver's licence numbers in the set (CyberInsider, 2026-05-26). The 185,000 figure is not contradictory with the earlier unconfirmed 600,000-record CRM claim. Both intrusions follow the campaign's Salesforce-Aura pattern (vishing → Entra account → CRM export, or unauthenticated /s/sfsites/aura guest-profile queries): audit guest-user object permissions on Experience Cloud, enable Secure Guest User Record Access, restrict SSN/ID fields to named users, and enforce phishing-resistant MFA (FIDO2/passkeys) on SaaS admin accounts.

UPDATE (Salesforce-credential extortion campaign, originally covered 2026-05-19 via the 7-Eleven breach): ShinyHunters listed Charter Communications — operating consumer services under the Spectrum brand — on its leak site around 22–23 May, claiming over 42 million PII records and setting a 27 May negotiation deadline before threatened release (CyberInsider, 2026-05-23). The 42M figure is the actor's own unverified leak-site claim. Charter issued a narrowly-worded statement confirming it is "following security protocols" and "alerting appropriate authorities" while explicitly denying that "sensitive personal information (PI) or customer proprietary network information (CPNI)" was exfiltrated — language calibrated to FCC-protected categories. The exclusion of non-CPNI PII (billing name, address, email) from that denial is conspicuous and leaves room for lower-sensitivity data exposure even if the denial holds.

By our own campaign tracking Charter is the first telco/ISP victim of this wave to respond publicly — an inference from the prior named victims (Instructure, Vimeo, Wynn, Vercel, Medtronic, 7-Eleven), none of them telcos, rather than a claim made by the cited sources. The pattern is consistent with the broader ShinyHunters wave against enterprise Salesforce tenants — abuse of exposed OAuth tokens and misconfigured connected-app / Experience Cloud integrations, not a vulnerability in Salesforce itself — the same vector behind the confirmed 7-Eleven breach (600k records, covered 2026-05-19). The fresh Charter listing is independently corroborated by Troy Hunt's Weekly Update 505, 2026-05-24, which records ShinyHunters' new claimed victims. For CH/EU public bodies running Salesforce: audit connected-app OAuth scopes, rotate long-lived connected-app credentials, restrict Experience/Community Cloud guest-user access, and baseline bulk-object query volumes via Shield Event Monitoring — an anomalous large SELECT against Account/Contact objects is the data-exfiltration signature to alert on.

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).

7-Eleven confirmed on 2026-05-18 that an unauthorised third party accessed franchise-application records (600,000+) in a breach ShinyHunters claimed in April 2026. The operational point for this audience is the campaign, not the victim: 7-Eleven joins Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic as named victims of the same Salesforce-targeting ShinyHunters operation. Any organisation with Salesforce connected apps and OAuth-integrated third parties should re-audit connected-app scopes and refresh-token lifetimes.

Full coverage in § 2 (multi-day chain). Status-update register: long-running operator-family pattern continues; wave 4 (170+ packages / 400+ versions per daily-brief tracking) is the largest documented npm-supply-chain wave to date; the leaked framework source materially changes both attacker and defender posture and elevates the risk of secondary operators applying the same techniques against PyPI / Cargo / Maven Central in 2026-W21. The ShinyHunters / WorldLeaks family logged in W19's long-running record (item:shinyhunters-worldleaks-family) overlaps in operator targeting (AI-tooling SaaS, multi-tenant credential aggregation) with TeamPCP's npm-side ecosystem — the two clusters appear to be operating in parallel across the SaaS and registry attack surfaces with no public attribution merging them.

Full coverage in § 2 (multi-day chain). Status-update register: ShinyHunters / WorldLeaks long-running operator pattern (W19 record item:shinyhunters-worldleaks-family) continues; the Canvas case is the operator's first publicly-confirmed ransom-with-broken-non-extortion-covenant precedent and the first US Congressional investigation of an EdTech SaaS supply-chain incident.

UPDATE (originally covered 2026-05-09; updated 2026-05-10): Instructure on 2026-05-11 disclosed that it "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" — a ransom payment in everything but name, undisclosed amount, covering the platform-wide ~3.65 TB dataset that ShinyHunters claimed to have lifted from Canvas's Free-for-Teacher tier on 2026-04-29 (Inside Higher Ed, 2026-05-11; Infosecurity Magazine, 2026-05-11).

Two material developments accompany the settlement: (a) Instructure confirmed a second intrusion on 2026-05-07 in which ShinyHunters defaced approximately 330 individual institution login portals via the same Free-for-Teacher vulnerability — the first ITW evidence that the underlying flaw remained exploitable post-patch; (b) ShinyHunters has now reset a per-institution payment deadline to end-of-day 2026-05-12 (today), positioning the central settlement as covering only the bulk dataset while leaving individual institutions exposed to targeted publication (The Register, 2026-05-12). CEO Steve Daly publicly acknowledged delayed external communication ("we got the balance wrong" on disclosure timing). CrowdStrike remains engaged for the IR work.

Operational reality for any European university running Canvas: the "data was destroyed" claim is not technically verifiable — by ransomware-actor practice, the artefact provided is typically a hash list or a video, not a forensically meaningful proof of deletion. The dataset must continue to be treated as compromised in perpetuity for GDPR / Swiss DSG purposes, downstream phishing risk planning, and student-identity exposure communications. Institutions that received the per-institution deadline note should validate that any locally-stored Canvas-derived data (course rosters, communications, gradebooks) is included in the breach-notification scope, regardless of the platform-wide settlement.

The cross-day pattern most visible in 2026-W19 is the ShinyHunters / WorldLeaks operator family's role in four parallel third-party / SaaS-tier compromises with European footprint, all riding the third-party-analytics → cloud-data-warehouse → tenant-data-exfiltration pivot rather than direct attack on the victim's infrastructure. The sequence: Vimeo / Anodot (first covered 2026-05-07) — Vimeo's official statement confirmed customer email addresses were affected via a third-party security incident involving Anodot, an analytics vendor integrated with Vimeo's infrastructure; the Snowflake-and-BigQuery cloud-data-warehouse pivot is attributed to ShinyHunters' extortion claim per BleepingComputer (not Vimeo's own confirmation); BleepingComputer reports approximately 119,000 email addresses exposed; ShinyHunters published the dataset after Vimeo declined extortion (Vimeo official blog, 2026-04-27 · BleepingComputer, 2026-05-06 · The Register, 2026-05-05). Inditex (Zara) (first covered 2026-05-09) — Have I Been Pwned confirmed 197,400 EU customer email addresses exposed via the same Anodot → BigQuery pivot; Inditex confirmed access to email, geographic location, order IDs, support ticket content; ShinyHunters dumped ~140 GB after Inditex declined (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08 · daily 2026-05-09). ADT Inc. (first covered 2026-05-06) — SEC 8-K filed 2026-04-24 disclosed unauthorised access to certain cloud environments; ShinyHunters claimed the initial-access vector was vishing on an employee Okta SSO account followed by Salesforce data exfiltration (ADT did not confirm the vector) (ADT Newsroom, 2026-04-24 · daily 2026-05-06). Instructure / Canvas (first covered 2026-05-06; expanded each subsequent day — see separate H3 below).

The lesson under PD-11 (less is more) for Swiss / EU public-sector readers: third-party analytics, monitoring, evaluation, and observability integrations holding OAuth or service-account access to production data warehouses (Snowflake, BigQuery, Redshift) are a structural supply-chain attack surface that vendor-assessment checklists routinely miss. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; require provider-side anomaly alerts; and treat any tenant-to-tenant credential propagation pattern (the four incidents above are all that pattern) as warranting a tabletop on revocation timing — Vimeo revoked privileged credentials and access tokens within hours of detection, which is the right reference performance.

Current state: most-active operator family of 2026-W19. Confirmed parallel involvement across Vimeo/Anodot, Inditex/Zara/Anodot, ADT/Okta-SSO/Salesforce, and Canvas/Instructure (second-intrusion claim despite May 8 patches). The architectural pattern across these incidents — third-party analytics, BI, integration, or LTI service accounts holding broad read access to tenant data — is consistent and converging. The Canvas/Instructure extortion deadline is 2026-05-12 (two days out at week-end). Outstanding defender question: which AI-tooling SaaS or analytics SaaS vendor will be the next confirmed pivot point. (See § 2 multi-day chain.)

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

Have I Been Pwned confirmed on 2026-05-08 that 197,400 unique email addresses from Inditex (Zara's parent, headquartered in A Coruña, Spain) were exposed following a breach of a former third-party analytics provider. Inditex confirmed attackers accessed customer relationship data — email addresses, geographic locations, purchase history (order IDs and product SKUs), and support ticket content — across international markets (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08). Names, passwords, payment card data, addresses, and phone numbers were stated to be out of scope. ShinyHunters claimed responsibility, alleging access via compromised authentication tokens for the Anodot analytics platform against BigQuery instances; this claim has not been independently verified. Data publication (approximately 140 GB) followed after Inditex declined to engage. Inditex stated it had "started notifying the relevant authorities" but did not specify which supervisory authority or whether the GDPR Article 33 72-hour notification clock was met; as a Spanish company the lead supervisory authority is the AEPD.

Defender takeaway: Third-party analytics and BI platforms with OAuth or service-account access to production data warehouses (BigQuery, Snowflake, Redshift) represent a persistent supply-chain data-exfiltration vector. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; review whether analytics platform service accounts have read-all access to customer-facing databases.