← All articles

consultant

Charter/Spectrum: vishing, Entra, Salesforce — FIDO2 MFA as the GDPR/NIS2 countermeasure

ShinyHunters allegedly vished a Charter/Spectrum employee, took over a Microsoft Entra account, and exfiltrated Salesforce data. Phishing‑resistant MFA (FIDO2/WebAuthn) meets GDPR Art. 32 and blocks the initial access.

By Cyber Luxgap 29/06/2026

Summary — On May 26–27, 2026, Charter Communications (“Spectrum”) confirmed a breach following leak threats by ShinyHunters. Reports indicate the attack started on April 1, 2026 via vishing, leading to a Microsoft Entra account takeover and Salesforce data exfiltration. Claimed volumes reach ~40 million records. Sources: TechRadar, analysis of the “Salesforce Aura/Experience Cloud” campaign confirmed by Mandiant (BleepingComputer), consumer recap (Tom’s Guide).

The facts

Observed kill chain:

  • Vishing to extract a code, get a sign‑in approved, or enroll a new device;
  • Access to Microsoft Entra SSO;
  • Leverage SaaS integrations (Salesforce) to pull data via entitlements, views, or APIs.

This pattern aligns with 2025–2026 campaigns targeting misconfigured Salesforce portals (Experience Cloud/Aura) and, more broadly, SSO estates lacking phishing‑resistant MFA. BleepingComputer.

The legal framework

  • GDPR — Article 32: implement “appropriate” technical and organisational measures given the state of the art. Strong MFA is increasingly expected by authorities (see EDPB — Art. 32, CNPD Luxembourg, CNIL).
  • NIS 2 — Article 21: minimum risk‑management measures include identity and access controls, with increasingly explicit MFA expectations (EUR‑Lex — NIS 2).

Bottom line: across the EU (Luxembourg, Belgium, France, Germany), phishing‑resistant MFA on critical access is now the expected, auditable measure under Art. 32 and Art. 21.

To structure and evidence compliance, our certified DPO services handle proportionality and documentation, while our fractional CISO drives identity and access implementation.

The technical solution to deploy

Goal: neutralize social engineering (phishing/vishing/OTP fatigue) with phishing‑resistant authentication, ideally FIDO2/WebAuthn (hardware keys or passkeys with strong attestation).

  • Allowed methods: FIDO2/WebAuthn (NFC/USB/Bluetooth keys like YubiKey, or device‑bound passkeys). Disable SMS, voice calls, and transcribed TOTP.
  • Conditional access: require FIDO2 for admins, external access, and risky device/location changes. Block factor enrollment without strong re‑authentication.
  • Attestation and AAGUID allow‑list: permit only approved authenticators (FIPS/CC where required).
  • Sessions and tokens: shorten lifetimes, enable token protection where available, monitor OAuth/OIDC (consent phishing, rogue apps).
  • Logging and effectiveness: centralize authentication events, track adoption, and test regularly. Article 32 requires effectiveness assessment.
  • Salesforce: lock down Experience Cloud guest profiles, limit views/exports, audit (AuraInspector/Mandiant), and bind entitlements to identity attributes validated via SSO + FIDO2 MFA. Ref.: BleepingComputer.

This setup aligns with ISO/IEC 27001 (A.5.15, A.5.17, A.8.3), NIST CSF 2.0 (ID.AM‑04, PR.AC‑01…07, DE.AE‑03) and CIS Controls v8 (6, 12, 15). Our managed SOC consolidates Entra/Okta/Salesforce logs to detect suspicious enrollments and blocked access attempts.

How Luxgap delivers

  • ISO 27001 governance: FIDO2 prioritization (admins, remote access, critical SaaS), authentication policy, key attestation, and quarterly reviews (Art. 32 / NIS 2 Art. 21(f)).
  • Managed SOC: vishing IOC correlation, anomalous enrollment alerts, session revocation and reset workflows.
  • External DPO and CISO: GDPR Art. 32 alignment, effectiveness testing documentation, register updates and processor clauses.

For Luxembourg entities under NIS 2, see our overview of NIS 2 in Luxembourg to map MFA and access controls to local obligations.

EU case study

A fiduciary (NIS 2 important entity) used TOTP/SMS for staff and suppliers on a SaaS CRM. In 6 weeks:

  • FIDO2/WebAuthn for 100% of admins and 60% of exposed users;
  • SMS/TOTP blocked on external access;
  • AAGUID allow‑list and sealed break‑glass vault;
  • Salesforce hardening (guest profiles, export, logging).

Outcome: push‑fatigue and enrollment fraud disappeared; GDPR Art. 32 evidence available (SIEM dashboards: adoption, factors used, blocked attempts). For regulatory grounding, see our page on GDPR and security of processing.

First concrete steps

  1. Map critical accounts and access: admins, VPN/RDP, SSO, Salesforce/CRM, exports.
  2. Choose the method: FIDO2/WebAuthn by default; ban SMS/voice; limit TOTP to break‑glass.
  3. Define SSO policies: FIDO2 for admins and external access; enrollment requires strong re‑auth; short sessions; block legacy protocols.
  4. Secure Salesforce: review Experience Cloud/guest users, restrict exports, enable audit, correlate SSO/SaaS logs.
  5. Prove effectiveness (Art. 32): centralize logs, set KPIs, quarterly phishing simulations, document.

We can assess your critical access within 48 hours and define a business‑fit FIDO2 plan. Reach us via contact.

Official sources

cybersecurite solution fido2 mfa rgpd nis-2 salesforce
LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →