TransUnion Breach Exposed 4.4 Million U.S. Customers Data

Published Date: August 29, 2025
Category: ShadowOpsIntel
Share:

In July 2025, TransUnion, one of the three major U.S. credit bureaus, suffered a large-scale data breach impacting over 4.4 million U.S. individuals. The attack was likely a part of a wider campaign targeting Salesforce accounts, attributed to ShinyHunters and UNC6395. The stolen data includes highly sensitive personal identifiers, raising concerns of large-scale identity theft and fraud.

Severity Level: High

Incident Overview

  • Date of Breach: July 28, 2025
  • Date Discovered: July 30, 2025
  • Date Disclosed: August 28, 2025
  • Scope: Over 13 million records stolen globally, with 4.4 million U.S. records confirmed.
  • Attack Vector: Compromise of third-party application used for consumer support operations.
  • Affected Organization: TransUnion, operating in 30 countries and handling credit data of over 1 billion consumers worldwide.

How The Breach Happened

  • The attackers likely gained unauthorized access to Salesforce accounts supporting TransUnion’s U.S. consumer support services.
  • They likely exploited compromised OAuth tokens and abused Salesforce’s API functionality to exfiltrate large volumes of customer records.
  • This method is consistent with ongoing Salesforce-linked campaigns impacting other enterprises such as Google, Farmers Insurance, Workday, Allianz Life, Cisco, and Chanel.
  • The breach was initially reported as “limited personal data,” but leaked samples confirmed highly sensitive identifiers were stolen.

Data Exposed During The Breach

The stolen dataset includes: Full names, Billing addresses, Phone numbers, Email addresses, Dates of birth, Unredacted Social Security Numbers (SSNs), Reason for customer transaction (e.g., credit report requests), Customer support tickets and messages stored in Salesforce.
Note: Core credit reports and credit history data were not exposed.

Recommendations

  1. Enforce mandatory MFA for all Salesforce and critical SaaS accounts.
  2. Limit OAuth token lifespan, enforce scoping, & regularly audit third-party API integrations.
  3. Enable CASB or SaaS monitoring tools to detect abnormal login patterns and excessive data downloads.
  4. Encrypt sensitive customer data stored in SaaS platforms, especially identifiers like SSNs.
  5. Apply data minimization practices-store only the necessary personal information in third-party applications.
  6. Conduct phishing awareness and token theft training tailored to SaaS threats.

Source:

  • https://www.bleepingcomputer.com/news/security/transunion-suffers-data-breach-impacting-over-44-million-people/
  • https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/3dcd9b7c-bce3-4685-bffd-f728ce96e2fd.html
  • https://www.documentcloud.org/documents/26078139-transunion-breach-texas/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.