When companies have big breaches, they have to notify the big credit reporting agencies. However, it is now one of the major credit reporting agencies that must send notifications.
TransUnion has notified the Maine Attorney General’s Office that 4,461,511 U.S. persons were affected by an incident on July 28, 2025 that involved an unnamed third-party application. TransUnion’s submission to Maine also revealed that the breach was discovered on July 30, 2025.
A copy of their notification letter to consumers, provided to Maine, is skimpy on details. Not only does it not tell those affected when the breach occurred, when it was discovered, or how it happened, but it also does not tell recipients what the third-party application was, and whether there was any ransom demand or threat.
The letter does inform recipients what specifc data elements of theirs were involved, while reassuing them that “The information was limited to specific data elements and did not include credit reports or core credit information.”
TransUnion’s letter or notification to Maine does not provide any sense of what consumers or subgroup of U.S. consumers were affected, but the letter indicates that the data was stored on a “third-party application serving our U.S. consumer support operations,” so the more than 4.4 million are U.S. consumers out of approximately 200 million U.S. consumers that TransUnion compiles data on.
TransUnion is offering those affected 24 months of credit monitoring and what they describe as proactive fraud assistance to help with any questions that those affected may have now or in the event that they become a victim of fraud.
DataBreaches emailed TransUnion to ask whether this incident was related to the Salesforce or Salesforce / Salesloft Drift campaign and whether any extortion demand has been received.
Update: TransUnion declined to provide any additional details, but in a statement to DataBreaches, ShinyHunters stated:
All records from TransUnion Salesforce CRM instance was taken. Total 13M+ records, 4.4 million records are just U.S. SSNs were also compromised, in plaintext. We’ll begin to leak data on the forum known as BreachStars of companies who did not pay us or chose to ignore us.
When asked whether this attack involved Salesloft Drift or was the prior Salesforce campaign, ShinyHunters declined to comment.
ShinyHunters’ statement about the incident is consistent, however, with information given to DataBreaches on background by someone with knowledge of the incident, who informed DataBreaches that the 13M+ number was the number affected globally.
In related news, “Shiny” (the individual and seeming leader of ShinyHunters) confirmed to DataBreaches that the ShinyHunters user account on the new Breachsta[.]rs forum is, in fact, their account — unlike the “ShinyHunters” imposter account that had briefly appearaed on UmbraForums[.]net.