What to Do When Your Vendor Has a Data Breach

When a vendor your business uses gets breached, your data may be exposed even if your own systems were never touched. This week made that concrete.

Charter Communications, which operates Spectrum Business, confirmed a breach that attackers claim involves up to 42 million records. The same extortion group, ShinyHunters, separately confirmed a 7-Eleven breach exposing Social Security numbers and driver's licenses for 185,000 people. The majority of those affected are franchise operators and job applicants. Small business owners.

Your systems weren't hacked. But your data may be in both of those dumps.

Two Breaches, One Attack Pattern

The ShinyHunters group has claimed roughly 300 to 400 total targets. Their operations in 2026 have combined two techniques: automated scanning that identifies misconfigured SaaS platforms at scale, and vishing, which is phone-based social engineering designed to convince employees to hand over credentials.

Charter's breach started with a vishing call. An attacker impersonated an IT support contact, convinced a Charter employee to provide their Microsoft Entra credentials, and used that access to bulk-export records from Salesforce. 7-Eleven's breach exploited a misconfigured Salesforce Experience Cloud instance that exposed customer and applicant data without requiring authentication.

Neither attack required sophisticated malware. Both required a misconfigured SaaS environment and one moment of employee confusion.

After 7-Eleven declined to pay a ransom, ShinyHunters released 9.4 gigabytes of the stolen data publicly. The FBI has advised organizations not to pay.

Why This Matters If You're Not Charter or 7-Eleven

Spectrum Business is one of the most common internet and phone providers for NJ and NYC area businesses. If your firm uses Spectrum for connectivity or phone service, your account-level information sits inside Charter's systems. It may be in that breach.

The 7-Eleven breach hit franchise operators. People who run small businesses, manage payroll, deal with their own employees, and submitted personal information to a national brand during the application process. Their SSNs and driver's licenses are now in a public data dump. The brand got hacked. The franchise operators absorbed the downstream damage.

That pattern shows up across industries. Larger vendors serve thousands of smaller businesses. When the vendor's security fails, the exposure flows downstream.

The Attack Vector Your IT Stack Should Care About

Salesforce misconfiguration is not an exotic vulnerability. It is an operational reality at most mid-size and growing businesses that use the platform. As Salesforce environments age, they accumulate: integrations that were set up for a project and never decommissioned, community portals with permissions that made sense at launch but were never audited, API tokens with broader access than necessary.

The same pattern applies to Microsoft Entra, Azure AD, HubSpot, and any other platform where your identity and access policies were set up once and rarely revisited.

ShinyHunters is not manually investigating each target. They are running automated tools across hundreds of companies looking for these configurations. If your Salesforce instance has an exposed community portal or an overpermissioned integration, it shows up in those scans the same way a large enterprise's does.

Scale does not protect you here.

What Businesses Should Do Now

If you use Spectrum or have a 7-Eleven franchise relationship, the immediate steps are straightforward:

Watch for breach notification letters. Both Charter and 7-Eleven have legal obligations to notify affected customers under state breach notification laws. If you haven't received one yet and you're a customer of either company, watch for formal communications.

Verify what data the vendor held. Think through what you gave them: payment information, contact records, employee data, integration credentials. The scope of your exposure is a function of what you shared.

If you use Salesforce, this is a good week to pull up your configuration. Look at third-party integrations, review which ones are still actively used, and remove anything that isn't. Check your community portal or Experience Cloud settings if you run one. Audit API permissions.

Review your Microsoft Entra conditional access policies. The Charter attack succeeded because a single vished credential gave the attacker full Salesforce access. Conditional access policies and MFA can limit how much damage a single compromised credential does before someone notices.

Update credentials for any system that connects to the affected vendors' platforms.

The Part You Can't Control and the Part You Can

You can't decide how well your vendors protect their systems. Charter is a multibillion-dollar company with full-time security staff. They still got vished. That reality is uncomfortable, but it's accurate.

What you can control is your own exposure surface. How much access you give vendors, how your own SaaS stack is configured, and whether you have a documented process for responding when a breach notification arrives.

Businesses that treat SaaS configuration as a one-time setup task tend to accumulate the kind of configuration drift that automated attackers scan for. Businesses that audit configurations regularly, maintain an inventory of what data sits where, and practice breach response have a smaller attack surface and respond faster when it's their vendor on the news.

The threat isn't slowing down. ShinyHunters ran this same playbook against hundreds of organizations this year. The configuration gaps that enabled it are present in most SaaS environments that haven't been actively maintained.

That's the work that prevents the next one.

Frequently Asked Questions

What should I do if I'm a Spectrum Business customer affected by the Charter breach?

Monitor for formal breach notification letters from Charter or Spectrum. These are required under state breach notification laws. Review your account for unexpected changes and update credentials for any services that share the same login as your Spectrum account.

What is a vendor data breach and how does it affect growing businesses?

A vendor data breach occurs when a third-party company that holds your data is attacked. Even if your own systems are secure, data you provided to the vendor, including contact records, payment information, and employee details, may be exposed. Growing businesses that rely on large SaaS platforms and service providers are particularly exposed to this risk.

How does ShinyHunters find targets for their attacks?

ShinyHunters uses automated scanning tools to identify misconfigured SaaS platforms, including Salesforce and Microsoft Entra environments. They combine this with vishing, phone-based social engineering calls, to harvest employee credentials. The group claims hundreds of targets and has demanded ransoms of $1 million or more in recent campaigns.

What is Salesforce misconfiguration and why is it a security risk?

Salesforce misconfiguration refers to settings that expose data beyond what was intended, such as overpermissioned community portals, unused third-party integrations that still have API access, or field-level security settings that weren't reviewed as the platform evolved. Attackers use automated tools to scan for these issues, and a single exposed configuration can give them access to large amounts of business data.

Does my business have notification obligations if a vendor is breached?

It depends on what data was exposed and where your business operates. If the breached vendor held personal information about your employees or customers on your behalf, you may have obligations under state laws such as the New Jersey Identity Theft Prevention Act or other applicable regulations. Review the scope with your IT and legal advisors when you receive a breach notification.