TransUnion reports data breach exposing sensitive information of over 4.4 million people
Learn More
Credit reporting company TransUnion is reporting a data breach that compromised the personal information of over 4.4 million people in the United States.
TransUnion is one of the three major credit reporting agencies in the United States, alongside Equifax and Experian. It collects and maintains credit information on over 1 billion consumers worldwide, approximately 200 million of those based in the U.S.
The security incident occurred on July 28, 2025, and was discovered two days later on July 30. The attack is part of a broader campaign targeting Salesforce instances via voice phishing. According to the hacker ganf ShinyHunters, "All records from TransUnion Salesforce CRM instance was taken. Total 13M+ records, 4.4 million records are just U.S."
The data exposed in this incident was described as "limited" by the company, and that no credit reports or core credit information were accessed. A sample of the stolen data shared with cybersecurity researchers contained extensive sensitive personal information.
Exposed data includes:
- Names
- Billing addresses
- Phone numbers
- Email addresses
- Dates of birth
- Social Security numbers (unredacted)
- Customer transaction details (such as requests for free credit reports)
- Customer support tickets and messages stored in Salesforce
According to filings with the Maine Attorney General's Office, 4,461,511 U.S. persons are affected by the incident.
The wave of Salesforce data theft attacks that have impacted numerous companies this year, including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas.
TransUnion has begun notifying affected customers through breach notification letters and is offering impacted individuals 24 months of free credit monitoring and identity theft protection services.
Update - as of 15th of September 2025, more than 69,000 people in Wisconsin are reported to be impacted by TransUnion data breach
