Neither breach needed a software flaw. In the two intrusions that two major consumer brands confirmed within days of each other this week, the attackers' only "exploit" was a phone call. The extortion crew ShinyHunters talked an employee out of their corporate single sign-on, walked into the company's Salesforce, and quietly exported the customer database. On 28 May, Carnival — the world's largest cruise operator — began notifying 5,995,277 people. A day later, broadband giant Charter, which trades as Spectrum, watched its customer records appear on the group's leak site after it apparently refused to pay. They are the latest two names on a list that has grown all year.
Two confirmations in one week
The Carnival intrusion dates to 10 April 2026. Per the company's own notification reported by BleepingComputer, "an unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the Company's IT system." Carnival identified the activity on 14 April and confirmed data theft on 22 April; the stolen records include names, dates of birth, email addresses, genders, geographic locations and loyalty-programme details. ShinyHunters claims it took more than 8.7 million records and terabytes of internal data — an attacker assertion, not a verified figure, and well above the roughly six million individuals Carnival is actually notifying.
Charter's timeline is the more instructive one. The group says it phoned a Charter employee on 1 April, used the call to compromise a Microsoft Entra account, and exported data from the company's Salesforce instance. ShinyHunters claims more than 42 million customer records; SecurityWeek and the breach-notification service HaveIBeenPwned put the verified impact closer to 4.9 million unique individuals — names, email addresses, physical addresses and phone numbers — plus about 85,000 internal employee-directory records with job titles. Charter disputes the worst of it, stating that "only sales tools used to manage current, past, and prospective business customers were impacted" and that no customer proprietary network information or sensitive personal information was released. With the data now downloadable from the group's Tor site, the company appears not to have paid.
The attack chain: a phone call, not a CVE
Strip away the brand names and both intrusions run on the same rails. An operator calls an employee, poses as IT support, and steers them to a convincingly cloned sign-in page that proxies the real authentication flow in real time. The victim types their credentials and approves the multi-factor prompt; the attacker captures the session and, in the cleaner version of the playbook, enrols their own MFA device for durable access. From there it is not "hacking" in the Hollywood sense — it is a logged-in user clicking export on a customer-relationship database.
That is why there is no CVE to cite here and no patch to apply. The control that failed was identity verification at the human layer — a helpdesk that could be impersonated, an SSO that trusted a freshly approved MFA prompt, and a Salesforce tenant whose bulk-export capability was available to an ordinary compromised account. Every one of those is a configuration and process question, not a software bug.
Claimed versus verified: reading the numbers
A recurring trap in breach coverage is repeating the attacker's headline figure as fact. ShinyHunters has an incentive to inflate — bigger numbers mean more extortion leverage and more notoriety. Treat "42 million" and "8.7 million" as the group's marketing, and anchor on what the victims and independent trackers confirm: Carnival's own count of 5,995,277 notifications, and HaveIBeenPwned's reconciliation of the Charter dump to roughly 4.9 million unique individuals. The gap between the two is itself the story — it is where unverifiable claim meets auditable reality, and it is the line responsible reporting has to hold.
Part of a much larger pattern
Charter and Carnival are not isolated incidents; they are the freshest entries in a campaign that has run since at least the start of the year. Salesforce flagged the group's activity against its platform in March, and security researchers have since tied a string of confirmed corporate breaches to the same vishing-to-SSO method. Home-security firm ADT confirmed a breach on 24 April after detecting unauthorised access to customer and prospect data on 20 April; commercial-real-estate group Cushman & Wakefield confirmed a Salesforce data theft in early May. Researchers tracking the actor put the count of organisations hit by the broader brand-impersonation and vishing operation this year in the hundreds.
| Organisation | Sector | Reported impact | Entry method | Status |
|---|---|---|---|---|
| Charter / Spectrum | US broadband | ~4.9M verified (group claims 42M+ records) | Vishing → Entra → Salesforce | Data leaked |
| Carnival | Global cruise | 5,995,277 notified (group claims 8.7M) | Employee social engineering | Notifying |
| ADT | US home security | Customer & prospect data (undisclosed count) | Vishing → SSO | Confirmed |
| Cushman & Wakefield | Commercial real estate | Salesforce records (group claims 500k+) | Vishing | Confirmed |
Why the CRM became the crown jewel
There is a reason the same database keeps coming up. A customer-relationship platform is where an enterprise concentrates exactly the data an extortionist wants — names, contact details, account history, support tickets — already cleaned, deduplicated and queryable. It is reachable from any browser, it is wired into the corporate identity provider, and bulk export is a feature, not an abuse. The attacker does not have to move laterally through a network or evade an endpoint agent; they have to convince one person, once, that the caller is from the service desk. The "trust" the operating model depends on — that a signed-in user is who they claim to be — is precisely what gets weaponised.
What defenders should take from this
None of the countermeasures are novel, which is the uncomfortable part. The highest-leverage moves are phishing-resistant MFA (FIDO2 or passkeys, which defeat the real-time proxy that one-time codes do not), a helpdesk identity-verification process that cannot be talked around, and tight controls on bulk export from SaaS platforms — alerting on anomalous large reads and gating mass export behind separate approval. Watch for new MFA-device enrolments on existing accounts, the quiet signature of this campaign, and rehearse the assumption that initial access will arrive as a convincing phone call rather than a malicious attachment. Where Salesforce or any major CRM holds the customer base, treat its export logs as tier-one security telemetry.
Note: This is defensive threat reporting for awareness and control prioritisation — not a how-to. No phishing kit, script or proof-of-concept is reproduced here.
View author profile → · Editorial policy
