Experts warn of larger wave after TransUnion breach exposes sensitive data of 4.4 million

Consumer credit reporting giant TransUnion disclosed on Aug. 27, 2025, that a data breach compromised sensitive personal information, including Social Security numbers, belonging to over 4.4 million Americans in what experts say may be just the beginning of a wave of similar disclosures.

According to a filing with the Maine Attorney General's Office, the breach occurred on July 28, 2025, and was discovered two days later. The company's notification letter described the incident as involving "a third-party application serving our U.S. consumer support operations."

Initially, TransUnion characterized the exposed data as "limited" and emphasized that no credit reports or core credit information were affected. However, reporting by BleepingComputer confirmed that the breach stemmed from a Salesforce compromise, with attackers gaining access to customer names, addresses, phone numbers, email addresses, birthdates, transaction details, support messages and unredacted Social Security numbers.

The breach follows a string of Salesforce-related attacks targeting high-profile organizations such as Google, Farmers Insurance, Allianz Life, Cisco and Qantas. Cybersecurity researchers attribute the TransUnion incident to the ShinyHunters extortion group, as well as UNC6395, a cluster of threat actors known for exploiting weaknesses in SaaS environments.

Significantly higher risk

Cory Michal, chief security officer at AppOmni, said the exposure of Social Security numbers raises the stakes far beyond most recent Salesforce-related disclosures. "This incident poses a significantly higher risk to victims than many of the other Salesforce breaches disclosed so far," he said. "The compromise of SSNs creates far greater potential for identity theft, financial fraud and long-term misuse of personal data."

Michal added that while the number of impacted individuals may be smaller than in past breaches, the severity of this event sets it apart. "That elevates the impact of the TransUnion breach well above other recent disclosures, even if the number of affected individuals is smaller," he noted.

The TransUnion incident appears to overlap with multiple campaigns targeting Salesforce tenants. Michal noted that the breach aligns with an earlier campaign known as UNC6040, based on its timing, while the more recent UNC6395 campaign has already compromised more than 700 Salesforce tenants.

"What we're seeing now is likely the leading edge of a much larger wave of public disclosures, as investigations conclude and regulatory timelines come due," Michal warned.

Vulnerability of SaaS platforms

The incident highlights a broader issue: the vulnerability of SaaS platforms like Salesforce, which are mission-critical for many organizations yet often undersecured.

"SaaS applications like Salesforce are deeply integrated into business operations, but they also represent a massive and often under secured attack surface," Michal said. "For many organizations SaaS tenants are a large blind spot compared to on-premise or IaaS [infrastructure-as-a-service] environments, which makes them attractive targets for attackers."

TransUnion, one of the three major U.S. credit bureaus alongside Equifax and Experian, maintains credit information on more than 1 billion consumers globally, including 200 million in the United States. The company has offered two years of free credit monitoring and identity theft protection to affected customers.

As regulatory deadlines approach and investigations conclude, more companies are expected to disclose similar breaches. For victims, however, the damage may be lasting. As Michal emphasized, "These incidents highlight the need for stronger visibility, monitoring and security controls on SaaS products and tenants."

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.