Consumer credit reporting giant TransUnion has disclosed a major data breach impacting more than 4.4 million U.S. consumers after attackers infiltrated its Salesforce account. The breach, first detected on July 30, 2025, follows a growing pattern of Salesforce data thefts linked to the ShinyHunters extortion group and the cluster UNC6395.
As one of the three major U.S. credit bureaus, alongside Equifax and Experian, TransUnion maintains credit data on over 1 billion consumers worldwide, including about 200 million Americans. Its data feeds into decision-making processes for 65,000 businesses—including banks, insurers, and employers—amplifying the potential downstream effects of any breach.
Source: transunion.com.
While TransUnion initially downplayed the breach as exposing “limited personal information,” threat actors have since claimed to possess over 13 million records, with at least 4.4 million tied to U.S. residents. A sample of the stolen data reviewed by BleepingComputer contained names, billing addresses, phone numbers, email addresses, dates of birth, and unredacted Social Security Numbers. Also included were customer support tickets and requests for free credit reports.
The breach underscores the increasing exploitation of Salesforce integrations by threat actors. Similar attacks have struck companies such as Google, Farmers Insurance, Allianz Life, Workday, Cisco, Chanel, Pandora, and Qantas this year. By abusing stolen OAuth tokens and exploiting weak integration security, adversaries have been able to mine sensitive customer information from Salesforce instances.
In response, TransUnion is offering affected customers 24 months of free credit monitoring and identity theft protection. The company maintains that no credit reports or “core credit information” were exposed, though the inclusion of SSNs and contact details poses a serious risk of identity theft and fraud. As of now, TransUnion has not revealed whether it is negotiating with the attackers or if a ransom was paid.
This is not TransUnion’s first brush with security issues. Its South African and Canadian branches have previously suffered breaches that compromised customer data, and in 2022 a separate threat actor falsely claimed to have breached its systems. The current incident, however, highlights the ongoing challenge of securing third-party platforms like Salesforce, which are increasingly targeted in supply chain-style attacks.
The TransUnion Salesforce breach reinforces how third-party platforms remain a lucrative target for cybercriminals. Organizations relying on Salesforce or similar tools should enforce strict token management, integration monitoring, and data minimization strategies to reduce their exposure to future compromises. Consumers affected should remain vigilant against phishing, fraud attempts, and identity theft in the months ahead.
