Credit monitoring firm TransUnion has leaked the personal information of over 4.4 million people in an apparent Salesforce data breach.
According to a breach notification filed with the Office of the Maine Attorney General, the incident occurred on July 28, 2025, and was discovered on July 30.
TransUnion says the incident involved “a third-party application serving our U.S. consumer support operations” and leaked “some limited personal information.”
However, it did not expose credit reports or core credit information, which would be invaluable for committing fraud. The company’s internal systems were apparently not affected as the data breach was limited to the third-party platform.
“Any data breach of credit monitoring services is quite serious, especially breaches that involve tampering of any kind,” noted Lawrence Pingree, Technical Evangelist at Dispersive. “So far, we’ve seen limited breach that do that, so if there is something positive it’s that at least it’s a typical style data breach.”
“Unfortunately, TransUnion and other reporting organizations – and all third parties interacting with them – need to maintain the utmost security posture and resilience in the face of exhaustive targeting, both due to the high profile they have and their dataset’s importance,” added Pingree.
In response, the credit monitoring behemoth said it was enhancing its security controls and would provide the victims with 24 months of credit monitoring services to protect them from fraud.
However, customers should also track their credit and financial statements and report any suspicious activity.
“The TransUnion breach is another case of attackers increasingly targeting supply-chain APIs. Organizations must treat API access and mobile security as core strategic priorities,” said Ted Miracco, CEO, Approov. “Ensuring rapid key revocation capability, secure secret management, and robust third-party vetting are critical defenses.”
ShinyHunters takes credit for the TransUnion data breach
Prolific data leaker ShinyHunters has taken credit for the TransUnion data breach. It claims to have stolen extensive personal data, including the names, dates of birth, phone numbers, email addresses, Social Security Numbers, and billing addresses.
The threat group also allegedly accessed transaction information and customer support tickets, which are invaluable for crafting compelling phishing messages. Over 13 million records of personal information, affecting 4.4 million people, were compromised according to the threat actor.
“While most of the previous attacks have exposed sensitive but less critical information, the compromise of SSNs creates far greater potential for identity theft, financial fraud, and long-term misuse of personal data,” opined Cory Michal, chief security officer at AppOmni. “That elevates the impact of the TransUnion breach well above other recent disclosures, even if the number of affected individuals is smaller.”
In a separate filing with the Office of the Texas Attorney General, TransUnion confirmed that the data breach leaked customer names, Social Security Numbers, and dates of birth. Seemingly, the previous assessment, suggesting the data breach leaked only limited personal information, may change soon as more information becomes available.
“For context, the TransUnion breach compromised 4.4 million people,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech. “The 2017 Equifax breach compromised 147 million. It’s not as big, but it’s just as serious for those 4.4 million people. TransUnion does more than just generate credit reports.”
Ongoing campaign targeting Salesforce
Meanwhile, TransUnion joins the expanding list of companies breached in the voice phishing campaign targeting the Salesforce CRM.
Confirmed and potential victims include tech giants Google and Cisco, insurance giants Allianz Life Assurance and Farmers Insurance, luxury fashion retailers Dior, Chanel, and Pandora, HR behemoths Workday and Manpower, and Qantas Airlines.
Nonetheless, TransUnion did not name the impacted third-party vendor, attribute the data breach to any cybercrime group, or disclose if it had received any ransom demands.
Besides ShinyHunters, hacking group Scattered Spider has also executed similar cyber attacks targeting cloud-hosted information management systems, and pivot to the victim’s infrastructure, including virtualized environments.
This is also hardly the first time that TransUnion has allegedly suffered a third-party data breach. In September 2023, a threat actor claimed to have breached the credit monitoring firm via a third-party, a claim that the company vehemently denied. The alleged data breach affected 59,000 people worldwide, thereby limiting its potential impact, if it ever occurred.
That attack was claimed by threat actor USDoD on the seized hacking platform BreachForums. However, TransUnion claimed that the data formatting style did not match that of any of its third-party vendors.
