TransUnion, one of the three largest credit reporting agencies in the United States, disclosed that it suffered a data breach impacting more than 4.4 million individuals. The company revealed that the cyberattack stemmed from unauthorized access to its Salesforce account, a third-party application used to support consumer operations in the U.S.
In a data breach notification sent to affected individuals, TransUnion stated:
“We recently experienced a cyber incident involving a third-party application serving our U.S. consumer support operations. The unauthorized access includes some limited personal information belonging to you.”
While the company did not disclose exactly which categories of data were compromised, it emphasized that the breach did not affect credit reports or core credit information.
Background on TransUnion’s Role and Global Operations
TransUnion plays a critical role in the financial services sector, alongside Equifax and Experian. As one of the three main credit bureaus in the U.S., it maintains sensitive financial information for millions of consumers and businesses.
The company operates in 30 countries, employs roughly 13,000 staff worldwide, and generates an annual revenue of approximately $3 billion. Its services extend beyond credit reports, covering fraud detection, identity management, and risk analysis for enterprise clients.
This scale and responsibility make the security of its systems and third-party integrations an essential concern for both businesses and consumers who depend on accurate and safe data handling.
Details of the Salesforce Compromise
The breach specifically involved Salesforce, a cloud-based customer relationship management (CRM) platform widely used by enterprises for customer support and operational workflows. Attackers gained unauthorized access to TransUnion’s Salesforce environment, compromising personal information tied to consumer service interactions.
The company has not yet detailed whether exposed data included names, contact information, account identifiers, or other identifiers commonly stored within Salesforce. However, sample notifications underline that no “credit reports or core credit data” were included in the breach.
To address risks for consumers, TransUnion is offering 24 months of free credit monitoring and identity theft protection services.
Links to Wider Salesforce-Related Attacks
This incident is part of a larger wave of Salesforce-related data breaches targeting global enterprises in 2024 and 2025. High-profile organizations including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas have all reported Salesforce-linked compromises this year.
Investigations attribute these attacks primarily to the ShinyHunters extortion group, known for large-scale data theft and blackmail operations. More recently, activity has been tracked to another group designated UNC6395, believed to be carrying out similar campaigns exploiting weaknesses in Salesforce environments.
Following confirmation of TransUnion’s breach, BleepingComputer verified with multiple sources—including ShinyHunters—that the stolen data was indeed tied to these Salesforce-focused attacks.
Company Response and Ongoing Investigation
TransUnion has acknowledged the severity of the incident and confirmed ongoing efforts to investigate alongside external cybersecurity experts. The company’s response has focused on three key areas:
- Containing the incident by cutting off unauthorized access.
- Assessing the scale of data exposure.
- Providing support and monitoring tools to affected individuals.
While the exact attack method remains undisclosed, the Salesforce breach adds to growing concerns about third-party application risks for enterprises managing sensitive customer data at scale.
For organizations relying on Salesforce and other third-party SaaS platforms, this breach highlights the risks of vendor-based exposure. Even if core systems remain secure, attackers can exploit integrations to reach valuable consumer data.
TransUnion’s incident joins a series of Salesforce-linked breaches underscoring the importance of monitoring, auditing, and securing enterprise applications against both insider and external threats.
