4.46M TransUnion customers exposed via third-party support app - what we know

TransUnion has confirmed at least 4,461,511 impacted individuals after attackers accessed a third-party application used for U.S. consumer support on July 28, 2025. The company says no credit-file data was accessed, and early notice language doesn’t list the exact fields. We’ll update as additional letters post.

Why it matters

When the breach hits the support stack rather than core credit systems, the near-term risk leans toward targeted phishing and account takeover using contact/identity details (names, addresses, phone numbers-and potentially government-ID fields if present). TransUnion continues to stress that credit reports weren’t touched; the precise field list is still pending.

Timeline (so far)

• July 28, 2025 - breach occurs in a third-party app tied to U.S. consumer support.
• July 30, 2025 - discovery by the company.
• Aug 28, 2025 - public notice reiterates that core credit data wasn’t involved.

Threat actor, vector, vendor

• Actor: not named; no credible claim observed as of publication.
• Vector: unauthorized access to a third-party support application confirmed in regulator language and company statements.
• Vendor: not disclosed; we’re watching AG portals and filings for a name.

Could this tie to the recent Salesforce social-engineering wave?

Pattern-wise, the intrusion looks a lot like the vishing-to-connected-app playbook documented this summer: attackers convince support staff to authorize a malicious connected app (often a tweaked Data Loader) and later extort under ShinyHunters-branded personas. Even a major cloud provider acknowledged one of its own Salesforce orgs was briefly impacted in June before access was cut. That said, until TransUnion names the vendor or releases technical indicators, this remains informed pattern-matching-not attribution.

A separate burst between Aug 8-18 abused compromised OAuth tokens tied to the Salesloft-Drift integration to mass-query Salesforce objects and hunt for secrets (think AWS keys, Snowflake tokens, passwords). TransUnion’s breach date is July 28-after vishing activity was live and before the OAuth spree-so the timing could align with the earlier cluster but precedes the Drift/OAuth wave. Absent fingerprints like connected-app indicators and IOCs (e.g., distinctive user-agents and Tor patterns) or extortion emails from known personas, we won’t over-claim.

What’s still unknown

• The specific data elements (letters so far use “limited personal information” without listing fields).
• Whether any non-U.S. consumers are affected (current disclosures point to U.S. support systems).

If you’re affected: quick actions

• Freeze your credit at all three bureaus: TransUnion, Equifax, Experian.
• Add a fraud alert and stay alert for targeted phishing that references your TransUnion interactions.
• Use the bureau’s step-by-step breach guidance for follow-through.