The Salesforce Attack Wave: What the TransUnion Data Breach Means for Your Business

Any business that collects and stores financial information and other sensitive information (like Social Security numbers, past addresses, employment records, and more) is a tempting target for cybercriminals. And TransUnion appears to have been better protected than many organizations that collect similar information.  

Unfortunately, a weakness in a third-party system allowed cybercriminals to access the sensitive information of almost 4.5 million Americans. The incident serves as a stark reminder of why data-rich organizations remain prime targets and why businesses of all sizes must take cybersecurity seriously — their own, and every vendor they work with. 

An Overview of the 2025 TransUnion Data Breach

On July 28, cybercriminals successfully infiltrated TransUnion's systems through a third-party application that supported the company's US consumer operations. While TransUnion detected and contained the breach, the damage was already done. Hackers had accessed names, Social Security numbers, and birthdates of millions of consumers.

Here’s a timeline: 
June 4 — Google reported that hackers were successfully using a modified version of a Salesforce-related app to steal data and infiltrate cloud systems. 

July 28 — ShinyHunters, a criminal hacker group also known as UNC6040, stole extensive personal data from TransUnion. They also allegedly got their hands on transaction and support ticket information, making it easy for them to launch sophisticated phishing attacks in the future.

July 30 — TransUnion discovered the breach and contained it within hours of discovery.

Late August — TransUnion begins notifying individuals whose information may have been compromised.

The Salesforce Data Breach Connection: A Growing Attack Pattern

This breach appears to be part of a larger wave of cyberattacks targeting companies' Salesforce databases. According to Google's security research, hackers have been using modified Salesforce-related applications to infiltrate corporate systems, steal vast amounts of data, and extort companies. 

Here’s a list of companies that were likely breached in the same way: 

• Google
• Cisco
• Allianz Life Assurance
• Farmers Insurance
• Dior
• Chanel
• Pandora
• Workday
• Manpower
• Qantas Airlines

How Attacks Like These Typically Work 

The attack method ShinyHunters often uses is surprisingly simple yet devastatingly effective. It relies entirely on voice phishing (vishing) rather than technical exploits.

Here's exactly how the attack unfolds:

• Attackers impersonate internal IT support staff and call employees, either to “resolve tech issues” or “update security settings”
• A hacker tells their victim to go to Salesforce's connected app setup page to approve an illegitimate version of the Data Loader app — called something like "My Ticket Portal"
• The malicious app allows hackers to get ongoing access to the organization’s Salesforce data
• Hackers start exporting data — often slowly at first to avoid detection
• Hackers start using stolen credentials to expand their attack through other platforms 

TransUnion Breach Takeaways for Businesses

Every time a new data breach occurs that impacts millions of people, some people will throw up their hands and insist that cybersecurity is useless against international cybercriminals. 

Not only is that not the right takeaway, it’s also not true. Not every business needs to be a digital fortress, but organizations sitting on treasure troves of personal data can't afford to treat cybersecurity as an afterthought. No single system or tool is impenetrable, but cybersecurity best practices can prevent the vast majority of attacks. And even the few attacks that make it past the gates can and should be identified and contained in minutes, not hours, and not days. 

Here’s what this most recent attack makes clear for the rest of 2025 and beyond: 

1. Third-Party Risk Management Is Non-Negotiable

Your cybersecurity is only as strong as your weakest third-party connection. If you currently aren’t regularly evaluating your vendors’ security posture, it’s time to start. 

In other words, organizations must:

• Regularly conduct thorough security assessments of all third-party vendors and applications
• Implement continuous monitoring of third-party access and activities
• Establish clear security requirements in vendor contracts
• Regularly audit third-party integrations and permissions
• Make decisions moving forward based on a vendor’s risk to your business

2. Social Engineering Remains a Top Threat 

These Salesforce-related attacks show that the more sophisticated cybersecurity tools get, the more likely it is that hackers will target the human element. 

If you haven’t already, here are your to-dos: 

• Invest in comprehensive security awareness training for all employees
• Implement strict verification procedures for system access requests
• Create a culture of security skepticism where employees feel empowered to question unusual requests
• Regularly test your team's response to social engineering attempts

3. Multi-Factor Authentication Is Essential

Even if a user’s credentials were exposed, using multi-factor authentication can stall or even eliminate those credentials from being useful to hackers. 

These cybersecurity basics are must-haves: 

• Enable MFA across all systems, especially cloud-based applications
• Use hardware security keys where possible for the strongest protection
• Regularly review and manage connected applications and permissions
• Implement zero-trust architecture principles

4. Incident Response Preparedness Matters

The longer a hacker has access to your systems and data, the more damage they can do. 

In 2025 and beyond, any business that collects sensitive data needs to have:

• A thorough incident response plan that is tested regularly
• Clear communication protocols for breach notifications
• Regular security tabletop exercises 

What Individuals Should Do Following the TransUnion Data Breach

If you're concerned about whether your data was compromised in this specific breach, you can contact TransUnion's Fraud Victim Assistance Department at 800-680-7289. If you receive a notification that your data was affected, TransUnion is offering free access to credit monitoring and proactive fraud assistance services.

What We Recommend Moving Forward

• Regularly monitor your credit reports and credit card statements
• Consider freezing your credit with each credit bureau
• Take advantage of free credit monitoring if and when it’s offered
• Update your passwords, prioritizing email, banking, cloud, and government accounts
• Enable multifactor authentication (MFA) wherever possible
• Don’t reuse passwords, and start using a password manager
• Switch to passkeys when possible
• Check to see if your email or password has been leaked using tools like Have I Been Pwned?
• Subscribe to dark web monitoring services 

Why You Need To Protect Yourself 

Unfortunately, the TransUnion data breach comes on the heels of many others: Infostealers, the National Public Data Breach, and the Mother of All Data Breaches (MOAB). 

Even if none of your financial accounts have been accessed by a hacker, they can use your sensitive information to do other things, including:

• Open fraudulent credit accounts
• Apply for loans or benefits in someone else’s name
• File fake tax returns to claim refunds
• Engage in other forms of financial fraud

The Easiest Way To Get a Gut Check on Your Organization’s Cybersecurity

Even if your organization isn’t nearly as big as TransUnion, that doesn’t mean you’re not a target. 

Cybercriminals often target much smaller organizations, hoping to find lax cybersecurity and a lot of unprotected data. Local governments, universities, K-12 schools, healthcare providers, and even nonprofits can be tempting. 

Cybersecurity is constantly evolving, so if you haven’t updated your cybersecurity solutions in the past few years, your organization might have fallen behind. To get a quick gut check on your cybersecurity health, click the link below!