A recent data breach at TransUnion has compromised the Social Security numbers of 4.4 million consumers in the United States, following a cyber attack on a Salesforce-integrated application. The breach is associated with the hacking group identified as UNC6395.
In an incident that began on July 28, 2025, credit reporting agency TransUnion disclosed that personal information, including names, birth dates, phone numbers, and Social Security numbers, has been exposed. Although the breach did not impact the company’s primary credit database or the integrity of credit reports, the sensitive nature of the data prompted the company to offer complimentary credit monitoring services to affected individuals.
According to reports filed with state authorities, this security event resulted from an attack on a third-party application used for customer support purposes at TransUnion. While the specific third-party company involved has not been disclosed, cybersecurity experts suspect it is part of a broader series of assaults targeting Salesforce databases.
A Recurring Trend
This incident highlights an emerging trend in cyberattacks focused on companies with significant repositories of customer data. Other notable organizations, including Allianz Life, Farmers Insurance, Google, Workday, Pandora, Cisco, Chanel, and Qantas, have faced similar breaches recently. Analysis from Mandiant, a subsidiary of Google, attributes this extensive campaign to the activities of UNC6395, a group of cyber adversaries believed to be responsible for a widespread data theft operation.
UNC6395 has been characterized as a newly identified threat actor group actively engaging in data theft across numerous organizations, predominantly those utilizing Salesforce services. Moreover, the hacking group Shiny Hunters has also been credited with various related attacks within this context.
These cyberattackers are noted for employing social engineering tactics, manipulating employees into granting unauthorized access to malicious applications, thereby enabling data extraction from large platforms such as Salesforce. The particular application exploited in this incident is believed to be Salesloft Drift, a widely used tool in the customer engagement sphere.
The Extent of the Compromise
This incident exemplifies the inherent risks associated with third-party services. Even organizations with robust internal security measures can fall victim to vulnerabilities present within trusted partners, resulting in extensive data leaks.
Cory Michal, Vice President of Information Security at AppOmni, highlighted the elevated risk to victims posed by this incident, noting that it represents a more serious threat than many previous Salesforce-related breaches due to the sensitive nature of the exposed Social Security numbers and accompanying contact information.
Utilizing the MITRE ATT&CK framework, it can be discerned that tactics such as initial access, exploitation of trusted relationships, and potentially privilege escalation were likely employed during the attack. Understanding these methodologies can aid businesses in enhancing their security postures to mitigate similar risks in the future.
