Nobody Broke the Encryption: Inside the 2026 Vishing Breach Wave

In the last two weeks of May 2026, three large organizations told their customers the same thing in slightly different words: your personal data was copied by someone who shouldn’t have had it. Charter Communications — the cable and broadband company that operates as Spectrum — faced a claim of more than 40 million customer records. Carnival, the world’s largest cruise operator, confirmed almost six million. The dental-benefits administrator DentaQuest had roughly 234 gigabytes of its data dumped on a leak site after it refused to pay, exposing around 2.6 million people.

Three industries, three unrelated companies, one quarter. And in none of them did the attacker break a single cryptographic primitive. They didn’t factor a key, defeat a cipher, or find a flaw in TLS. They picked up a phone.

This is the most important thing to understand about how data actually leaks in 2026, and it is the entire reason a system like RVNT is designed the way it is.

The attack was a conversation

The common thread running through this spring’s breaches is a technique with an unglamorous name: vishing, or voice phishing. An attacker calls an employee — often posing as IT support, sometimes with enough internal detail to sound legitimate — and talks them into handing over credentials or approving a multi-factor prompt. From there, the intruder walks in through the front door, because as far as the systems are concerned, they are the employee.

Charter’s breach, disclosed on May 27, reportedly began exactly this way: a voice-phishing call that captured a Microsoft Entra (the identity service formerly called Azure AD) account, which was then used to reach the company’s Salesforce instance. The exposed fields, per the extortion group’s claims, included names, email and physical addresses, phone numbers, plan information, and support-ticket history. Charter has publicly disputed the scope, stating that no sensitive personal information or customer proprietary network information was exfiltrated — a dispute that is itself revealing, and one we’ll come back to.

Carnival’s notice, which began reaching the 5,995,277 affected customers on May 28, describes the same shape of attack in its own words: “an unauthorized actor used social engineering to deceive an employee to gain access to a limited portion of the Company’s IT system.” The data copied included names, dates of birth, email addresses, and other personal details. The intrusion was detected on April 14; the company confirmed data had been illegally copied on April 22.

DentaQuest fits the pattern from the other end — the extortion end. After negotiations failed, roughly 234 GB of allegedly stolen data was published, and analysis of the dump found around 2.6 million unique email addresses alongside names, addresses, dates of birth, government-issued IDs, and health-insurance information.

The same extortion crew — operating under the name ShinyHunters, and tracked by Google’s threat-intelligence team as a cluster involving the identifiers UNC6040 (the intrusions) and UNC6240 (the extortion) — has been linked to a long run of 2026 incidents using this one playbook: call a human, get into single sign-on, pivot to the cloud CRM, take everything. Even an identity-protection vendor, Aura, disclosed a vishing-driven exposure of roughly 900,000 records earlier in the spring — a company paid to protect identities, breached through the same phone call.

Why the cipher was never the target

There’s a comforting story people tell themselves about security: that the lock on the door is the thing that matters, so a strong enough lock keeps you safe. Modern cryptography really is that strong lock. AES-256 and X25519 are not the weak point in any of these incidents, and the attackers knew it. Breaking them is computationally hopeless. Talking a tired help-desk worker into a password reset is a Tuesday.

So the attack moved to where the data actually lives: a centralized account with broad reach over a centralized store. This is the structural fact that no amount of in-transit encryption addresses.

[ millions of users ]
          │  (their data, all of it)
          ▼
[ ONE company's CRM / cloud tenant ]
          ▲
          │  (one employee account)
[ a phone call ]

When a single organization aggregates the records of millions of people into one system, it creates a target whose value is enormous and whose compromise is total. The defenders have to win every day, across every employee, against every pretext. The attacker has to win once, with one convincing call. That asymmetry is not a failure of any particular company’s security team. It is a property of the architecture.

This is also why the double-extortion model — steal the data, then threaten to publish it — has displaced old-style “encrypt your files and demand a ransom” attacks. The attacker doesn’t need to break your encryption or even deny you access. They just need a copy of the centralized honeypot. DentaQuest’s data went public not because anyone defeated a cipher, but because the data existed in one extractable place and the company wouldn’t pay.

The dispute that proves the point

Notice Charter’s response: a flat statement that no sensitive data was taken, contradicting the attacker’s claim that it was. You, the customer, cannot verify either side. You have no way to inspect what was in that Salesforce instance, what was queried, or what left. You are asked to trust a press statement from the party with the strongest incentive to minimize.

That is the ordinary condition of centralized custody: you hand your data to an intermediary, and from then on your privacy is a function of their competence, their honesty, and their incident-response messaging. The breach is invisible to you until it isn’t, and even then the truth is contested.

How RVNT removes the honeypot

RVNT is built on a refusal: there is no central store of your messages, your contacts, or your files for anyone to call an employee about. It is fully peer-to-peer. Messages travel device to device, end-to-end encrypted with a hybrid X3DH handshake and the Double Ratchet, and no central server ever holds your content. There is no company-wide CRM that aggregates millions of users into one queryable place, because there is no company in the data path at all.

You cannot vish your way into a database that does not exist.

• No central account holds everyone’s data. The catastrophic single point of compromise — one tenant, one admin login, one help-desk reset — simply isn’t there. Your data lives on your device, under your keys.
• Sealed sender removes the social graph. Even the metadata that breach disclosures rarely mention — who talks to whom — is minimized by sealed sender, so there is no convenient edge-list to exfiltrate. We wrote about why that matters in Metadata Is the Message.
• You don’t have to trust our press release. RVNT is open source under AGPLv3. You can read exactly what is stored and where, instead of taking a statement on faith after the fact.

The honest limit

Decentralization moves the honeypot; it does not abolish social engineering. We will say that plainly, because a tool that names its limits is more trustworthy than one that claims to solve everything.

If you are the one who gets the phone call — if you are talked into installing malware, approving a malicious linked device, or typing your PIN into a fake screen — then no architecture protects you, because the attacker is acting as you on your own device. Endpoint and human security are their own disciplines, and we say so in our threat model. RVNT also cannot protect data you have already handed to a third party. The moment you give your passport number to a cruise line, that copy lives by the cruise line’s rules, not yours.

What RVNT changes is the scale of the failure. A successful social-engineering attack against a centralized service can expose millions of people who never made a mistake. A successful attack against a single RVNT user exposes one device. The blast radius is the whole point.

What to take from this spring

The 2026 vishing wave is not a story about clever hacking. It’s a story about where data sits. Every one of these companies almost certainly used encryption in transit and at rest. It didn’t matter, because the breach didn’t go through the cryptography — it went through the org chart, into the one account that could see everything.

The lesson isn’t “use a longer key.” It’s “stop building places worth attacking.” Don’t trust us on that — the code is public. Read it, check the architecture, and verify that the central database an attacker would call to compromise is one we never built.