TransUnion, a major credit reporting firm, confirmed a significant data breach affecting **4,461,511 U.S. consumers** after attackers exploited vulnerabilities in a **third-party application** linked to its U.S. consumer support operations. The breach, discovered on **July 30, 2025** (occurring two days prior), exposed highly sensitive personal data, including **names, Social Security numbers, dates of birth, billing addresses, email addresses, phone numbers, customer transaction reasons (e.g., free credit report requests), and support tickets/messages**. While TransUnion claimed its **core credit database and credit reports remained uncompromised**, hackers allegedly stole **over 13 million records** in total, with ~4.4 million tied to U.S. individuals. The attack was attributed to the **extortion group ShinyHunters**, leveraging malicious third-party integrations or OAuth-connected apps disguised as legitimate Salesforce tools. TransUnion responded by offering **24 months of free credit monitoring and identity theft protection** to affected individuals and collaborating with law enforcement and cybersecurity experts for forensic analysis.
TPRM report: https://www.rankiteo.com/company/transunion
"id": "tra1021410090425",
"linkid": "transunion",
"type": "Breach",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '4,461,511 (U.S. consumers)',
'industry': 'Financial Services',
'location': 'United States',
'name': 'TransUnion',
'size': 'Large (Global)',
'type': 'Credit Reporting Agency'}],
'attack_vector': ['Third-Party Application Exploitation',
'OAuth Abuse',
'Malicious Integrations'],
'customer_advisories': ['Delete old online accounts to reduce exposed data.',
'Avoid phishing scams; verify requests via official '
'channels.',
'Use strong, unique passwords and a password manager.',
'Enable two-factor authentication (2FA) on critical '
'accounts.',
'Keep devices and software updated.',
'Freeze credit with all three major bureaus '
'(TransUnion, Equifax, Experian).',
'Monitor financial accounts and credit reports '
'regularly.',
'Consider identity theft protection services (24 '
'months provided free to affected individuals).'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '13,000,000 (total claimed by '
'hackers); 4,461,511 (U.S. '
'consumers confirmed by '
'TransUnion)',
'personally_identifiable_information': ['Names',
'Social Security '
'Numbers (SSNs)',
'Dates of Birth',
'Billing Addresses',
'Email Addresses',
'Phone Numbers'],
'sensitivity_of_data': 'High (includes SSNs, dates of birth, '
'and other sensitive identifiers)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Customer Support Records',
'Transaction Histories']},
'date_detected': '2025-07-30',
'date_publicly_disclosed': '2025-07-30',
'description': 'TransUnion confirmed a major cyber incident affecting over '
'4.4 million U.S. consumers. Attackers exploited weaknesses in '
"a third-party application used in TransUnion's U.S. consumer "
'support operations, linked to a broader wave of '
'Salesforce-related attacks. The breach exposed highly '
'sensitive personal data, including names, Social Security '
'numbers, dates of birth, and customer support records. The '
'extortion group ShinyHunters and its affiliates are suspected '
'of involvement. TransUnion is offering 24 months of free '
'credit monitoring and identity theft protection to affected '
'individuals.',
'impact': {'brand_reputation_impact': ['Potential loss of trust in credit '
'reporting security',
'Media scrutiny',
'Consumer backlash'],
'data_compromised': ['Names',
'Dates of Birth',
'Social Security Numbers (SSNs)',
'Billing Addresses',
'Email Addresses',
'Phone Numbers',
'Reasons for Customer Transactions (e.g., '
'free credit report requests)',
'Customer Support Tickets and Messages'],
'identity_theft_risk': 'High (due to exposure of SSNs, dates of '
'birth, and other PII)',
'legal_liabilities': ['Potential regulatory fines',
'Class-action lawsuits (risk)'],
'operational_impact': ['Disruption to consumer support operations',
'Forensic investigation',
'Customer notifications'],
'systems_affected': ['Third-party application used in U.S. '
'consumer support operations']},
'initial_access_broker': {'data_sold_on_dark_web': 'Likely (hackers claimed '
'13M records stolen; '
'ShinyHunters linked to '
'underground data sales)',
'entry_point': 'Third-party application integrated '
'with Salesforce (disguised as '
'legitimate tool)',
'high_value_targets': ['Customer Relationship '
'Management (CRM) data',
'PII-rich support records']},
'investigation_status': 'Ongoing (third-party forensic review in progress, '
'law enforcement involved)',
'lessons_learned': ['Third-party integrations with Salesforce applications '
'are high-risk targets for attackers.',
'OAuth-connected apps can bypass traditional login '
'protections, enabling persistent access.',
'Rapid containment is critical, but public disclosure '
'timelines may lag for forensic completeness.',
'Credit monitoring services are essential for mitigating '
'post-breach identity theft risks.'],
'motivation': ['Data Theft',
'Extortion',
'Financial Gain',
'Data Exfiltration for Underground Sales'],
'post_incident_analysis': {'corrective_actions': ['Engaged third-party '
'cybersecurity experts for '
'forensic review.',
'Providing 24 months of '
'credit monitoring to '
'affected individuals.',
'Collaborating with law '
'enforcement for '
'attribution and '
'mitigation.'],
'root_causes': ['Insecure third-party integrations '
'with Salesforce applications.',
'Inadequate oversight of '
'OAuth-connected apps.',
'Lack of segmentation between '
'consumer support systems and core '
'credit databases (though core '
'systems were not breached).']},
'ransomware': {'data_exfiltration': 'Yes (but not ransomware-specific)'},
'recommendations': ['Strengthen third-party vendor security assessments, '
'especially for Salesforce-connected applications.',
'Implement stricter OAuth and API access controls.',
'Monitor dark web forums for stolen data sales.',
'Enhance consumer education on phishing risks '
'post-breach.',
'Consider proactive credit freezes for affected '
'individuals.',
'Evaluate legal accountability for credit bureaus in mass '
'exposure incidents.'],
'references': [{'date_accessed': '2025-08-01',
'source': 'Fox News (CyberGuy Report)',
'url': 'https://www.foxnews.com/tech/transunion-data-breach-what-you-need-to-know'},
{'date_accessed': '2025-07-30',
'source': "Maine Attorney General's Office Filing"},
{'date_accessed': '2025-08-01',
'source': 'CyberGuy.com - TransUnion Breach Coverage',
'url': 'https://www.cyberguy.com/transunion-data-breach/'}],
'regulatory_compliance': {'regulatory_notifications': ['Filing with Maine '
"Attorney General's "
'Office']},
'response': {'communication_strategy': ['Public disclosure via Maine Attorney '
"General's Office filing",
'Media statements',
'Direct notifications to affected '
'consumers'],
'containment_measures': ['Quick containment within hours of '
'discovery',
'Isolation of affected third-party '
'application'],
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'recovery_measures': ['24 months of free credit monitoring and '
'identity theft protection for affected '
'individuals'],
'remediation_measures': ['Forensic investigation',
'Customer notifications'],
'third_party_assistance': ['Engaged third-party cybersecurity '
'experts for independent forensics '
'review']},
'stakeholder_advisories': ['Affected consumers will receive direct '
'notifications with details on credit monitoring '
'services.',
'TransUnion emphasizes that core credit databases '
'and credit reports were not compromised.'],
'threat_actor': ['ShinyHunters',
'Scattered Spider (suspected overlap)',
'UNC6395',
'UNC6040'],
'title': 'TransUnion Data Breach via Third-Party Salesforce Integration',
'type': ['Data Breach',
'Unauthorized Access',
'Third-Party Vulnerability Exploitation'],
'vulnerability_exploited': 'Weaknesses in third-party integrations with '
'Salesforce-connected applications (not Salesforce '
'itself)'}