Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: telecom (6 articles)Clear

American Tower breach surfaces on Have I Been Pwned with 216,000 accounts

Data from a breach of American Tower, one of the largest wireless communications infrastructure companies, has been indexed by Have I Been Pwned, which added 216,601 affected accounts. The extortion group ShinyHunters is linked to the incident, consistent with its sweeping 2026 campaign that has used social engineering against staff to reach corporate systems and exfiltrate data at major enterprises. American Tower operates critical telecom infrastructure, making any exposure of employee or partner data a concern for follow-on phishing and targeted attacks. Exposed contact details are commonly reused for convincing phishing against affected individuals and the organization.

Check
People connected to American Tower should check Have I Been Pwned for their email and stay alert to phishing referencing the company; the organization should review how the data was accessed.
Affected
Individuals whose data was exposed in the American Tower breach (216,601 accounts indexed); exposed contact information supports targeted phishing against a company operating critical communications infrastructure.
Fix
Reset and avoid reusing affected passwords, enable phishing-resistant MFA, and treat unexpected messages referencing American Tower with caution. Organizations should harden help desks and accounts against social-engineering-driven access.

ShinyHunters publishes Charter Communications data after failed extortion - up to 5 million customer records now leaked, not just claimed

The ShinyHunters extortion group has now published the Charter Communications data it stole, after the telecom giant apparently refused to pay. Earlier reporting put the breach at 4.9 million HIBP-confirmed unique accounts; ShinyHunters' leak is described as potentially impacting up to 5 million customers. Charter is one of the largest US telecoms, providing internet, cable, mobile, and phone services to residential and business customers under the Spectrum brand. The data was originally exfiltrated via voice-phishing of a Microsoft Entra account on April 1 and a Salesforce export. With the data now public rather than merely claimed, the phishing and identity-theft risk to affected customers rises sharply.

Check
If you are a Charter/Spectrum customer or vendor, treat the leaked dataset as public now. Watch for Spectrum-themed phishing and account-recovery fraud over the next 60-90 days.
Affected
Up to 5 million Charter/Spectrum customers whose records are now publicly leaked, not just claimed. Names, contact details, and plan information enable targeted phishing and impersonation.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter contacts. Organizations: refresh breach-monitoring watchlists and brief help desks against Charter-themed social engineering.

ShinyHunters Charter Communications breach hit 4.9 million unique accounts (42M records claimed) - HIBP confirms scale

HIBP has confirmed 4.9 million unique accounts (4,851,517 email addresses) were affected by the Charter Communications breach disclosed earlier this week. The ShinyHunters extortion gang initially claimed 42 million records exfiltrated from Charter's Salesforce instance via voice-phishing of a Microsoft Entra account on April 1; the unique-account count is lower because individuals appeared on multiple records (customer + business + plan-info). Charter publicly denies that CPNI (Customer Proprietary Network Information) or sensitive personal data was taken. The HIBP entry refines the scope to a defender-actionable figure and lets customers and IR teams check exposure across their workforce.

Check
Run your @company.com domains against HIBP for Charter exposure. If you are a Charter customer or vendor, expect targeted vishing themed around Spectrum service issues for the next 60 days.
Affected
4.9 million unique Charter/Spectrum customer email addresses now in HIBP. SaaS-extortion playbook (Salesforce + Entra/Okta SSO + BPO vishing) remains the broader risk pattern.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter calls. Organizations with Salesforce + Entra: enforce phishing-resistant MFA on all admin and BPO identities.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

Calypso (Red Lamassu) Chinese APT hits APAC and Middle East telcos with Showboat Linux SOCKS5 backdoor and JMFBackdoor Windows RAT

Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.

Check
Hunt telco environments for processes named kworker or fltMC.exe with anomalous DLL loads (FLTLIB.dll). Inspect outbound traffic for SOCKS5 traffic to unexpected destinations. Check Pastebin requests.
Affected
Telecommunications providers across Asia Pacific and the Middle East. Multiple China-aligned clusters share the Showboat and JMFBackdoor tooling and certificate-generation patterns across distinct victim sets.
Fix
Block dead-drop dependencies by restricting Pastebin and similar code-paste domains at egress. Hunt for fltMC.exe sideloaded with non-Microsoft FLTLIB.dll. Apply Lumen Black Lotus Labs and PwC IoCs.

Huawei VRP router zero-day crashed Luxembourg's entire telecom network for 3+ hours (July 2025, disclosed now)

Recorded Future News has connected last summer's three-hour POST Luxembourg outage - which took down landline, 4G, and 5G networks across the country and left residents unable to dial emergency services - to a zero-day in Huawei enterprise routers running VRP. Specially crafted network traffic merely passing through caused the routers to enter a continuous restart loop. Luxembourg's prosecutor concluded no one had targeted Luxembourg specifically; the data was just transit traffic. Huawei has not assigned a CVE for the bug and routes its enterprise advisories through a restricted customer portal rather than publicly, leaving operators with little ability to track exposure.

Check
Inventory Huawei VRP-based routers (NetEngine, AR series, CloudEngine) and software versions. Confirm direct access to Huawei's restricted customer portal so you receive enterprise advisories.
Affected
Huawei enterprise routers running VRP that process untrusted internet traffic. Service providers are most exposed; downstream enterprise customers face transit risk.
Fix
Apply the latest Huawei VRP updates via your customer portal. Where possible, deploy multi-vendor diversity at network borders so a single buggy product cannot take down your entire WAN.