Salesforce Data Breach Lawsuits Remain Fragmented, Except for TransUnion Case A series of lawsuits tied to social engineering attacks targeting Salesforce databases will not be consolidated into a single multidistrict litigation (MDL), with one exception: complaints against TransUnion, which will proceed in federal court in Illinois. The U.S. Judicial Panel on Multidistrict Litigation ruled that the cases lack sufficient commonality, as each breach involves distinct incidents with varying details. Most complaints do not directly implicate Salesforce or allege a shared vulnerability in its platform as a key factor. Instead, the lawsuits stem from separate attacks where unique circumstances will shape the legal proceedings. The decision underscores the fragmented nature of these breaches, with no overarching pattern linking them beyond the use of social engineering tactics. The TransUnion case will move forward independently, while other claims remain dispersed across different jurisdictions.

TransUnion, a major credit reporting agency, suffered a significant data breach linked to the extortion group ShinyHunters, who exploited vulnerabilities in Salesforce-hosted databases. The attack exposed 4.4–4.5 million customers’ sensitive personal information, including Social Security Numbers (SSNs), which heightens risks of identity theft, financial fraud, and long-term misuse of personal data. Unlike prior breaches involving less critical data, this incident involved highly sensitive identifiers, prompting TransUnion to offer 24 months of free credit monitoring and proactive fraud assistance to affected individuals. The same group has allegedly targeted other high-profile entities like Google, Allianz Life, Cisco, and Workday, indicating a broader campaign. The breach underscores vulnerabilities in third-party hosted systems and the escalating sophistication of cybercriminal tactics targeting financial institutions.

TransUnion, a major credit reporting firm, confirmed a significant data breach affecting 4,461,511 U.S. consumers after attackers exploited vulnerabilities in a third-party application linked to its U.S. consumer support operations. The breach, discovered on July 30, 2025 (occurring two days prior), exposed highly sensitive personal data, including names, Social Security numbers, dates of birth, billing addresses, email addresses, phone numbers, customer transaction reasons (e.g., free credit report requests), and support tickets/messages. While TransUnion claimed its core credit database and credit reports remained uncompromised, hackers allegedly stole over 13 million records in total, with ~4.4 million tied to U.S. individuals. The attack was attributed to the extortion group ShinyHunters, leveraging malicious third-party integrations or OAuth-connected apps disguised as legitimate Salesforce tools. TransUnion responded by offering 24 months of free credit monitoring and identity theft protection to affected individuals and collaborating with law enforcement and cybersecurity experts for forensic analysis.

Maine Consumers Lose Over $33 Million to Fraud as Data Breaches Fuel Identity Theft Risks During National Consumer Protection Week, cybersecurity experts are highlighting the growing threat of identity theft after Maine residents lost more than $33 million to fraud in 2023. With data breaches exposing personal information including Social Security numbers consumers are urged to take proactive steps to secure their identities. One of the most effective defenses is a credit freeze, a free service offered by the three major credit bureaus Experian, Equifax, and TransUnion. By freezing their credit, individuals can block fraudsters from opening new accounts in their name, even if stolen data is in circulation. The freeze can be temporarily lifted for legitimate credit applications and does not affect credit scores or access to annual credit reports. To further protect Social Security numbers (SSNs), often targeted by scammers, two key measures are recommended: 1. E-Verify’s “Self Lock” – This federal tool prevents unauthorized use of an SSN for employment or background checks, with an annual renewal requirement. 2. Social Security Administration (SSA) Account Block – Restricts online access to SSA records, requiring in-person verification to lift the block. Fraud prevention advocates, including Phil Chin of AARP Maine’s Fraud Watch Network, emphasize that scammers exploit convenience, making these extra security steps critical. While the process may require additional effort, experts argue the safeguards are necessary to counter increasingly sophisticated identity theft schemes. The warnings come as data breaches continue to expose sensitive information, leaving consumers vulnerable to financial and reputational harm.

The Vermont Office of the Attorney General disclosed on October 2, 2024, that TransUnion Risk and Alternative Data Solutions (TRADS) suffered a data breach involving unauthorized access to consumer personal data. The incident occurred over an unspecified period, with the investigation launched on July 24, 2024, and concluding on September 10, 2024. While TRADS’s internal security systems were confirmed not compromised, the breach resulted in the exposure of consumer information, including names and other unspecified personal data elements. The exact scope of the exposed data remains undisclosed, but the incident highlights vulnerabilities in third-party data handling, raising concerns over potential misuse of sensitive consumer information. No evidence of financial fraud or large-scale identity theft has been reported thus far, but the exposure of personal identifiers poses risks of targeted phishing, identity theft, or reputational harm to affected individuals.

The California Office of the Attorney General reported a data breach involving TransUnion Risk and Alternative Data Solutions, Inc. (TRADS) on October 2, 2024. The breach occurred between February 8, 2024, and April 16, 2024, involving unauthorized access attempts to personal information, specifically names and certain impacted data elements, although the number of affected individuals is unknown.

FBI hacker 'USDoD' reportedly released private information from consumer credit reporting company TransUnion. Highly sensitive data that was purportedly stolen from the credit reporting bureau was leaked, according to a threat actor going by the handle "USDoD." The disclosed database, which is over 3GB in size, contains private information about 58,505 individuals from all around the world, including America and Europe. The hacker allegedly possessed information on 1000 of Airbus suppliers. 3,200 people that were connected to Airbus vendors had their personal information stolen by threat actors; the information that was revealed included names, job titles, residences, email addresses, and phone numbers.

The Vermont Office of the Attorney General reported on March 10, 2023, that TransUnion LLC experienced a data breach where unauthorized actors may have accessed personal information of consumers potentially between December 1, 2022, and January 13, 2023. Sixty-seven cases were identified, involving the bypass of verification measures, but the specific types of personal information affected are not detailed in the report.

TransUnion LLC reported a data breach incident after information in the company’s possession was subject to unauthorized access. The breach compromised the names, Social Security numbers, financial account numbers and driver’s license numbers. TransUnion investigated the incident and sent out data breach letters to all affected parties.

TransUnion South Africa servers were attacked by N4ughtysecTU hacker group by using an authorised client’s credentials The attackers stole about 4TB of the personal data of 54 million customers of the company and threaten to release the data if ransom not paid.

The Maine Office of the Attorney General reported a data breach involving TransUnion LLC on November 7, 2022. From January 16, 2022, to July 15, 2022, unauthorized actors potentially accessed personal information of 213 individuals, including names, Social Security numbers, dates of birth, financial account numbers, and driver's license numbers. TransUnion offered one year of complimentary identity theft protection and credit monitoring services to affected individuals.

On August 4, 2022, the California Office of the Attorney General reported a data breach by TransUnion LLC that involved attempts to access personal information from credit files. The breach occurred between August 4, 2021, and January 31, 2022, with the specific number of individuals affected and the types of compromised information remaining unknown.

The Maine Office of the Attorney General reported a data breach at TransUnion LLC involving impersonation attempts. The incident affected 24 Maine residents and potentially impacted a total of 10,814 individuals. The suspicious activity occurred between January 1, 2021, and March 28, 2022. Notification letters were sent to affected individuals on August 4, 2022, and one year of complimentary credit monitoring services was offered.

Data Breach Checkers: How They Work and Why They Matter A data breach checker is a tool that scans breach databases, dark web markets, and malware logs to determine whether personal information such as email addresses, passwords, phone numbers, or Social Security numbers (SSNs) has been exposed in a known incident. These tools cross-reference user-provided identifiers (e.g., an email or phone number) against vast datasets of compromised records, revealing exposure events that may have gone unnoticed. ### How Breach Checkers Operate Most breach checkers use a hashing and matching model: a user submits an identifier (e.g., an email), which is hashed for privacy before being compared against a database of known breaches. The quality of results depends on the tool’s data sources. Basic checkers rely on publicly disclosed breaches, while advanced ones monitor dark web markets, criminal forums, paste sites, and infostealer malware logs sources that often reveal exposures before they’re formally reported. Key data sources include: - Publicly disclosed breaches (e.g., Adobe 2013, Yahoo 2013–2014). - Dark web intelligence (automated crawlers tracking criminal marketplaces). - Infostealer logs (credentials harvested by malware from infected devices). ### What Breach Checkers Can (and Can’t) Detect A breach checker can confirm: - Whether an identifier (email, phone, username) appeared in a breach. - The breach’s origin, approximate date, and exposed data categories (e.g., passwords, addresses). However, a clean result doesn’t guarantee safety. There’s always a lag between a breach, its discovery, and its inclusion in monitoring tools. A one-time check reflects only known exposures at that moment not future leaks. ### Why Proactive Checks Matter Breach notifications are slow and unreliable. U.S. laws allow companies 30–90 days to notify affected individuals after discovery, and many breaches are never disclosed at all. By then, stolen data may have circulated on the dark web for months. Proactive checking using tools that monitor real-time sources is the only way to detect exposure early. ### How to Check for Exposure #### Email Addresses The most commonly exposed identifier. Tools like DeXpose’s Email Data Breach Scan or Have I Been Pwned (HIBP) cross-reference emails against breach databases and dark web sources. If a password is exposed, all accounts using it (or variations) should be updated immediately. #### Phone Numbers Harder to track due to inconsistent indexing in breaches. HIBP added phone number checks in 2021, covering datasets like the 2021 Facebook breach (533M records). For broader coverage, dark web monitoring tools scan criminal markets where phone numbers appear. #### Social Security Numbers (SSNs) No legitimate tool stores or searches raw SSNs. Instead, checkers like Pentester’s NPD breach tool (for the 2024 National Public Data breach, 2.9B records) verify exposure by matching name, state, and date of birth against known datasets. Additional protections include: - Credit freezes (prevents new account fraud). - IRS Identity Protection PIN (blocks fraudulent tax filings). #### Dark Web Monitoring Standard search engines can’t access the dark web. Dedicated services (e.g., DeXpose’s Dark Web Report) scan criminal markets, forums, and malware logs, providing source-specific alerts (e.g., whether credentials appeared in a fresh infostealer log vs. an old breach). #### High-Profile Breach Checks - AT&T (2024): Two breaches exposed 73M records (including SSNs) and call/text metadata for nearly all wireless customers. Check via [AT&T’s settlement page](https://www.att.com/breach). - National Public Data (NPD): 2.9B records (names, SSNs, addresses) leaked. Verify exposure at [npd.pentester.com](https://npd.pentester.com). - TransUnion/Experian: Credit-focused breaches may include credit history and personal identifiers. Freeze credit and monitor reports. ### After a Breach: Immediate Actions 1. Identify exposed data (e.g., passwords, SSNs, financial info). 2. Change passwords on the breached account and any others using the same (or similar) credentials. 3. Enable multi-factor authentication (MFA) on critical accounts (email, banking). 4. Freeze credit with all three bureaus if SSNs or financial data were exposed. 5. Monitor continuously one-time checks miss future exposures. ### Limitations of Free Tools While free tools like HIBP or Mozilla Monitor cover historical breaches, they often lack real-time dark web monitoring. Paid services (e.g., DeXpose, Google One Dark Web Report) provide broader coverage, including malware logs and criminal marketplaces. ### Key Takeaways - Breach checkers reveal hidden exposures but can’t guarantee safety. - Email checks are the baseline; phone numbers and SSNs require specialized tools. - Dark web monitoring detects fresh leaks faster than breach notifications. - Credit freezes and MFA are critical defenses after exposure. - Continuous monitoring is essential breaches don’t stop after a single check.