%20(3)-1.png?quality=high&width=1900&height=1250&name=CSS%20-%20Blog%20(Featured%20Images)%20(3)-1.png)
%20(1).png?width=2000&height=1125&name=CSS%20-%20Blog%20(Featured%20Images)%20(1).png)
%20(1920%20x%201080%20px)%20(10).png?width=820&height=547&name=Copy%20of%20Blue%20White%20Gradient%20Modern%20Professional%20Business%20General%20LinkedIn%20Banner%20(750%20x%20750%20px)%20(1920%20x%201080%20px)%20(10).png)
Casmer Labs, Cloud Storage Security’s (CSS) internal threat laboratory, monitors the dynamic landscape of cybersecurity, cloud security, and particularly cloud data security. Our mission is to ensure that our customers and the public are informed about critical security developments, incidents, and updates.
The Breakdown
On July 28, 2025, TransUnion experienced unauthorized access to personal data via a third-party application serving its U.S. consumer support operations. The incident was identified on July 30. TransUnion disclosed that approximately 4,461,511 U.S. individuals were affected, stated that credit reports and core credit data were not accessed, and offered 24 months of credit monitoring.
Independent reporting, based on samples shared by the threat actor, indicates the stolen data included names, billing addresses, phone numbers, email addresses, dates of birth, and unredacted Social Security numbers, as well as customer support ticket data/messages stored in Salesforce.
The How
The incident aligns with a broader 2025 wave of Salesforce data-theft and extortion campaigns tracked as UNC6040 and UNC6395:
- UNC6040: voice-phishing (vishing) to impersonate IT and induce users to authorize a malicious Salesforce Connected App (often a modified “Data Loader”), granting OAuth-scoped API access used for bulk export.
- UNC6395: abuse of compromised OAuth tokens in a third-party chatbot integration (Salesloft/Drift) to query and export Salesforce data; token revocations followed.
TransUnion publicly described the vector as a third-party application tied to consumer support; multiple outlets linked the theft to the Salesforce campaign above.
The Main Problem
The weak point was third-party/SaaS access governance—specifically, over-trusted OAuth/Connected Apps and successful social engineering that enabled API-level data export to appear as legitimate integration activity. Platform owners and advisories emphasize this was not a Salesforce platform exploit but an abuse of authorized app flows.
What Would Have Prevented or Limited It
- Restrict / allow-list Connected Apps and scopes; strictly limit who can authorize apps; rotate/revoke third-party tokens; disable unused apps.
- IP and session restrictions for Salesforce access and app authorizations (e.g., VPN egress ranges; login/IP enforcement).
- Event Monitoring / Salesforce Shield / Transaction Security to alert or block unusual exports (Bulk API jobs, off-hours pulls, newly authorized apps).
- Least-privilege for API/export on support roles; remove “API Enabled” except where necessary; time-bound tokens.
- Vishing-resistant user procedures guided by FBI FLASH and GTIG IOCs/playbooks (call-back verification before any approval).
How DataDefender Could Have Helped
The initial compromise occurred in SaaS (Salesforce), so SaaS controls stop this family of attacks at the source. A Data Security Posture Management (DSPM) solution focused on cloud storage reduces blast radius and accelerates response once data touches storage:
- Detect staging/exfil paths: If exported datasets are staged or moved through AWS storage (e.g., CSVs in S3 or synced to data lakes), activity monitoring surfaces anomalous reads/writes, large object movements, and unfamiliar principals touching sensitive buckets.
- Minimize sensitive copies: Discovery/classification identifies SSNs/DoB and other PII across storage so teams can eliminate unnecessary replicas and tighten access around high-risk locations.
- Accelerate post-incident scoping: Rapidly map where identical or related datasets reside to support precise notifications, access revocation, and verified remediation.
- Shut down common exfil routes: Automated checks catch public buckets, permissive ACLs, cross-account exposure, and insecure snapshots frequently abused after an initial SaaS foothold.
Try DataDefender for Yourself
DataDefender by Cloud Storage Security centers on activity monitoring: see who is accessing what, where, and when across S3, EBS, EFS, FSx, and Glacier in real time, detect anomalous reads/writes and large transfers, and trigger alerts and workflows to stop data exfiltration before it spreads. DataDefender also proactively checks 90+ storage security configurations across 11 cloud storage services, organized by severity so critical issues like public S3 buckets or over-shared EBS snapshots are fixed first. Get started at signup.datadefender.io.
About Cloud Storage Security
Cloud Storage Security (CSS) protects the storage layer in the cloud. DataDefender is an activity-monitoring DSPM focused on safeguarding your organization’s most important asset. We prevent ransomware, data exfiltration, and insider misuse while delivering continuous visibility and control. Sign up at signup.datadefender.io.
Cloud Storage Security’s cloud antivirus is also available in AWS Marketplace with a 30-day free trial.
Sources
-
BleepingComputer — TransUnion suffers data breach impacting over 4.4 million people: https://www.bleepingcomputer.com/news/security/transunion-suffers-data-breach-impacting-over-44-million-people/
-
Reuters — TransUnion says 4.4 million consumers’ data compromised in hack: https://www.reuters.com/markets/europe/transunion-says-44-million-consumers-data-compromised-hack-2025-08-28/
-
SecurityWeek — TransUnion Data Breach Impacts 4.4 Million: https://www.securityweek.com/transunion-data-breach-impacts-4-4-million/
-
The Register — TransUnion admits 4.5M affected after third-party support app breached: https://www.theregister.com/2025/08/28/transunion_support_app_breach/
-
Maine Attorney General — breach filing: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/3dcd9b7c-bce3-4685-bffd-f728ce96e2fd.html
-
Google Threat Intelligence — The Cost of a Call: From Voice Phishing to Data Extortion: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
-
Google Threat Intelligence — Widespread Data Theft Targets Salesforce Instances via Salesloft Drift: https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
-
FBI FLASH (TLP:CLEAR) — UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion: https://www.ic3.gov/CSA/2025/250912.pdf
-
Salesforce — Protect Your Salesforce Environment from Social Engineering Threats: https://www.salesforce.com/blog/protect-against-social-engineering/
-
Salesforce Admin — Get Ready for Changes to Connected App Usage Restrictions: https://admin.salesforce.com/blog/2025/get-ready-for-changes-to-connected-app-usage-restrictions
-
NJCCIC — Public Data Breaches: https://www.cyber.nj.gov/Home/Components/News/News/1787/216
Share:
%20(1920%20x%201080%20px)%20(3).png?width=387&height=258&name=Copy%20of%20Blue%20White%20Gradient%20Modern%20Professional%20Business%20General%20LinkedIn%20Banner%20(750%20x%20750%20px)%20(1920%20x%201080%20px)%20(3).png)
%20(1920%20x%201080%20px)%20(4).png?width=387&height=258&name=Copy%20of%20Blue%20White%20Gradient%20Modern%20Professional%20Business%20General%20LinkedIn%20Banner%20(750%20x%20750%20px)%20(1920%20x%201080%20px)%20(4).png)
