TransUnion, one of the three major U.S. credit reporting agencies, has confirmed a data breach impacting over 4.4 million people in the United States. According to regulatory filings, the incident is linked to unauthorized access through the company’s Salesforce account, part of a wider wave of cyberattacks targeting Salesforce customers.
TransUnion Data Breach Details
The credit bureau disclosed that the breach occurred on July 28, 2025, and was discovered two days later. TransUnion stated in its consumer notifications that the cyberattack stemmed from a third-party application supporting its U.S. consumer support operations. While the company emphasized that credit reports and core financial data were not compromised, the stolen records contained highly sensitive information.
Threat actors claim the dataset includes names, addresses, phone numbers, email addresses, dates of birth, Social Security Numbers, and customer service records. A sample of leaked data reviewed by independent cybersecurity researchers also revealed transaction details, such as requests for free credit reports, raising concerns about identity theft and fraud risks.
Scope of the Data Breach
While TransUnion initially described the data exposure as “limited,” hackers allege they stole 13 million records worldwide, including 4.4 million belonging to U.S. residents. With the company handling credit information for over 200 million U.S. consumers and more than one billion globally, any breach at this scale is significant.
TransUnion has started notifying impacted individuals and is offering two years of free credit monitoring and identity theft protection services. Security professionals warn, however, that stolen Social Security Numbers can be exploited for long-term fraud well beyond the monitoring period.
Connection to Salesforce Cyberattacks
This breach is part of an expanding series of Salesforce-targeted cyberattacks that have hit major corporations in 2025. High-profile victims include Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas.
Cybersecurity intelligence links the TransUnion breach to the ShinyHunters extortion group and a threat cluster tracked as UNC6395. These groups specialize in stealing OAuth tokens and infiltrating Salesforce accounts to harvest sensitive customer data, which is later leveraged for extortion or sold on cybercrime marketplaces.
TransUnion’s History of Security Incidents
This is not the first time TransUnion has faced scrutiny over data protection. In recent years, its South African and Canadian branches both reported breaches affecting consumer information. Two years ago, hackers also claimed to have breached TransUnion systems, though the company denied responsibility, attributing the stolen data to a compromised third-party vendor.
The latest attack underscores the ongoing vulnerabilities in third-party applications and SaaS platforms like Salesforce, which remain a favored target for advanced threat actors.
By Jennifer Ejim
