The credit bureau has confirmed that personal data was stolen via a third-party Salesforce application in an ongoing wave of cyberattacks.
TransUnion, one of the three major U.S. credit reporting agencies, has disclosed a data breach that exposed personal information belonging to over 4.4 million individuals in the United States. The company filed notice of the incident with the Maine Attorney General's office, confirming that the breach occurred on July 28, 2025, and was detected two days later.
According to the breach notification, the attack involved unauthorized access through a third-party application supporting TransUnion’s U.S. consumer support operations. While the company initially described the exposure as “limited,” sources have since confirmed the stolen data includes sensitive personal information, though no credit reports or core credit data were affected.
The breach has now been linked to a broader series of attacks targeting Salesforce environments, carried out by groups such as ShinyHunters and UNC6395. These attackers have previously targeted large organizations including Google, Workday, Farmers Insurance, and Allianz Life.
BleepingComputer obtained a sample of the stolen TransUnion data, which includes names, birth dates, Social Security numbers (unredacted), email addresses, phone numbers, billing addresses, and customer service messages. The data also includes records explaining why users contacted TransUnion, such as requests for free credit reports.
Threat actors claim to have exfiltrated over 13 million records in total, with 4.4 million related to U.S. residents.
TransUnion is offering 24 months of complimentary credit monitoring and identity theft protection to those affected.
TransUnion’s breach notification described the incident as a “cyber incident involving a third-party application,” and reiterated that no credit reports or core credit data had been accessed. The company has not commented on the volume or specific types of information compromised beyond what was included in individual notifications.
BleepingComputer confirmed through two sources, including the ShinyHunters group, that the breach was part of the ongoing wave of Salesforce-targeted attacks. TransUnion has not yet publicly addressed this connection.
Salesforce is a cloud-based customer relationship management (CRM) platform. In this case, attackers exploited a vulnerability or misconfiguration in a Salesforce-based third-party application used by TransUnion’s support team.
The breach occurred in a consumer support system, not in the core databases that store credit histories or financial scores, which are typically segregated and more tightly controlled.
These are cybercriminal groups known for orchestrating large-scale data theft and extortion campaigns. They have targeted multiple global companies, often by breaching third-party platforms like Salesforce.
TransUnion previously denied involvement in a breach in 2022, attributing the leaked data to a third party. However, its South African and Canadian branches have suffered confirmed breaches in recent years, showing an ongoing pattern of exposure.
Consumers should enroll in the offered credit monitoring service, check their credit reports for unusual activity, and consider placing a fraud alert or credit freeze if they detect suspicious behavior.