More Than 4.4 Million Exposed in Credit Bureau TransUnion Breach: What to Know

Sensitive personal information belonging to 4.4 million customers, including their names and Social Security numbers, was exposed in a data breach on credit bureau TransUnion, in what is believed to be the latest in a string of attacks targeting companies' Salesforce databases. 

The data breach, which occurred on July 28, was identified and contained within hours, a TransUnion spokesperson told CNET. TransUnion is one of three credit bureaus -- along with Equifax and Experian -- that compile your financial activity into credit reports that are then used to create your credit scores. The credit bureau said it's notifying people who may have been affected and sharing the actions the company is taking. 

Featured Deal

Identity theft protection starts here

• Dark Web Monitoring
• Data Breach Notification
• 100% Virus Protection Promise

Get up to 44% off your first year

Get protection

Don't miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source on Chrome.

Two separate state filings shed more details on the situation. A court filing in Maine shows that TransUnion acknowledged unauthorized access from a third-party application that stored personal customer data. While the notice to consumers says that no credit information was accessed, "limited personal information" was exposed. However, another filing from Texas states that names of individuals, Social Security numbers and birthdates were exposed in the breach. 

The TransUnion spokesperson further clarified that the breach involved a third-party application serving its US consumer support operations but did not include its core credit database or credit reports. The bureau has engaged third-party cybersecurity experts for an independent forensics review. 

The breach came after Google reported in June that hackers were using a modified version of a Salesforce-related app to steal vast stores of data, infiltrate other cloud systems and extort compromised companies. The same report named the cybercriminal hacking group ShinyHunters, which it said was linked to extortion demands to employees of the victim organizations.

Several global organizations have already been caught in a wave of Salesforce-linked attacks, according to BleepingComputer, including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel and Qantas. Salesforce said social engineering, and not its platform, were to blame for the attacks.

"The Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology," Salesforce said in a statement in August, adding that customers can mitigate the risk by enabling multi-factor authentication and closley managing connected applications.

Consumer rights law firm Wolf Haldenstein issued an alert on the breach and encouraged those who have received a notice and spot unusual activity on their credit report to reach out.

If you're not sure if your private data was leaked or you haven't received any communication from TransUnion, you can check by calling its Fraud Victim Assistance Department at 800-680-7289.  

Even if you haven't received a notice, if you've experienced unusual activity on your credit report, you can always freeze your credit for free, enable two-factor authentication or add a security key to your accounts.