TL;DR: TransUnion disclosed that hackers stole data on 4,461,511 Americans (including names, addresses, dates of birth, and full Social Security numbers) through a compromised Salesforce integration. ShinyHunters claims they grabbed 13 million records total. This is the same attack wave that hit Google, Cisco, Farmers Insurance, Pandora, and dozens of others. More than 70 lawsuits have been filed. TransUnion says credit reports weren't touched. They're offering 24 months of free credit monitoring. If you're affected, freeze your credit now.

What TransUnion Lost

On July 28, 2025, someone broke into a Salesforce-connected application TransUnion used for customer support. They discovered the breach two days later.[1]

What got stolen:

  • Names
  • Billing addresses
  • Dates of birth
  • Full Social Security numbers
  • Phone numbers
  • Email addresses
  • Customer support tickets
  • Transaction records

TransUnion's official count: 4,461,511 U.S. consumers. ShinyHunters told BleepingComputer they grabbed over 13 million records, with the 4.4 million figure covering only Americans.[2]

The company insists its "core credit database" wasn't breached: credit reports and credit scores stayed locked. But the SSN data? That's enough to open accounts in your name, file fake tax returns, and commit medical identity fraud.

How ShinyHunters Got In

This wasn't a direct attack on TransUnion's systems. ShinyHunters exploited something far more common: third-party OAuth tokens connected to Salesforce.[3]

Here's what happened:

  1. Find the integration: TransUnion used Salesforce to manage customer support. That Salesforce instance was connected to other applications through OAuth, a protocol that lets apps share data without passing around passwords.
  2. Compromise the token: ShinyHunters didn't need TransUnion's password. They needed a token from any connected third-party app. These tokens often have weaker protections, or get exposed in other breaches.
  3. Bypass login: With the token, the attacker authenticates as a legitimate integration. No password needed. No MFA challenge. The system thinks it's a trusted app doing routine data syncing.
  4. Download everything: Once inside, they pulled customer support records, which included PII that TransUnion's customers had submitted during disputes or inquiries.

This technique is why Google's Threat Analysis Group and UpGuard have been screaming about OAuth token security for months. Attackers don't need to break down the front door when they can walk in through a side window that never gets checked.

TransUnion Is Just One Target

ShinyHunters didn't stop at TransUnion. They ran the same playbook against dozens of companies using Salesforce:[4]

  • Google
  • Cisco
  • Farmers Insurance
  • Allianz Life
  • Workday
  • Pandora
  • Chanel
  • Qantas
  • Adidas
  • Louis Vuitton
  • Tiffany & Co.
  • Air France-KLM

Security researchers track this as campaigns UNC6395 and UNC6040: essentially an "extortion-as-a-service" operation where ShinyHunters and affiliated crews share tactics, tools, and stolen data across underground forums.[4]

The pattern: target Salesforce integrations, steal customer data, demand ransom, dump everything online when the company refuses to pay. TransUnion apparently refused. Now 4.4 million Americans are exposed.

70+ Lawsuits and Counting

The legal storm started immediately. Two class action suits landed in Illinois federal court within weeks of the disclosure:[5]

Sevigny v. TransUnion LLC

Filed September 8, 2025 in U.S. District Court, Northern District of Illinois. Alleges violations of state and federal consumer protection laws.

Herships v. TransUnion LLC

Claims TransUnion committed negligence, breach of implied contract, and unjust enrichment by failing to secure customer PII.

But Salesforce is catching heat too. A September 2025 lawsuit (Morton v. Salesforce Inc. and TransUnion LLC) accused Salesforce of being the "hub" that enabled multiple "spoke" breaches.[6]

Salesforce got hit with 14 lawsuits in rapid succession in Northern California, naming 23 plaintiffs and co-defendants including TransUnion, Farmers Insurance, Allianz Life, Workday, and Pandora.[7]

Total lawsuits filed against companies in the Salesforce breach wave: over 70.[5]

What TransUnion Is Doing

TransUnion said it "quickly contained the issue" and emphasized the core credit database wasn't touched.[1]

For affected consumers, they're offering:

  • 24 months of free credit monitoring
  • Identity theft protection services through Cyberscout
  • Breach notification letters (check your mail)

That's the standard response. It's also the minimum. When a credit bureau loses your SSN, the monitoring they offer should probably be lifetime, not 24 months. But that's not how this industry works.

What You Should Do Now

If you've ever disputed a TransUnion report, contacted their support, or have any reason to think your data passed through their customer service system, assume you're affected.

Freeze Your Credit

Not a fraud alert, a freeze. It blocks new accounts from being opened in your name. Free at all three bureaus: Equifax, Experian, TransUnion. Yes, freeze at TransUnion too: they still control your credit file.

Get Your IRS Identity Protection PIN

An IRS IP PIN prevents someone from filing a fraudulent tax return in your name. Takes 10 minutes at irs.gov/get-an-identity-protection-pin.

Accept the Free Monitoring

If TransUnion sends you a notification letter, enroll in their free 24-month monitoring. It's the least they can do, and it gives you alerts if someone tries to use your SSN.

Watch for Phishing

ShinyHunters stole support tickets with specific details about your interactions with TransUnion. Expect targeted phishing emails that reference those details to seem legitimate. Verify everything directly. Don't click links in emails.

The Salesforce Problem

This breach exposes a reality most companies ignore: your security is only as strong as your weakest integration.

TransUnion didn't get hacked because its core systems failed. It got hacked because a Salesforce-connected app had exploitable OAuth tokens. That's true for most enterprises. They've got dozens of SaaS integrations, each with its own authentication tokens, each a potential entry point.

ShinyHunters found the pattern and scaled it. Same technique, 70+ companies, millions of records. They're not targeting Salesforce directly: they're targeting the messy ecosystem of third-party apps that plug into it.

We covered ShinyHunters' Okta SSO campaign last month: 100 companies targeted through voice-phished credentials. This Salesforce wave uses different tactics but the same strategy: go for the connectors, not the fortress.

References

  1. Top Class Actions - TransUnion announces Salesforce-linked data breach affecting 4.4 million Americans
  2. WebProNews - TransUnion Data Breach by ShinyHunters Exposes 4.4M Americans' SSNs
  3. Centraleyes - TransUnion Data Breach Exposes 4.5 Million Records Through Third-Party App
  4. Fox News - TransUnion becomes latest victim in major wave of Salesforce-linked cyberattacks
  5. Top Class Actions - TransUnion class action lawsuit alleges data breach compromised PII of 4.4M
  6. ThreatLocker - Morton v. Salesforce and TransUnion puts SaaS trust on trial
  7. SFGate - SF tech giant hit with 14 lawsuits in rapid succession