When you hear “data breach at a credit bureau,” your mind probably jumps straight to credit reports or core databases. But the recent TransUnion breach tells a different story.
This attack didn’t hit the credit database. It slipped in through a third-party application tied to their U.S. consumer support systems. In the process, it exposed the personal data of more than 4.4 million Americans, including names, Social Security numbers, dates of birth, and contact information.
The breach was first detected on July 30, 2025, just two days after the attack began. By late August, the news broke publicly, and TransUnion confirmed that while its credit reports remained safe, the third-party connection had been exploited.
For businesses of all sizes, the lesson is clear: it’s not always your own systems that bring you down. Vendors and integrations can be your weakest link.
In this post, we’ll break down what happened at TransUnion, why third-party apps create such big security risks, and what every business, not just Fortune 500s, needs to take away from this incident.
What happened at TransUnion?
Here’s the short version: TransUnion wasn’t breached through its crown-jewel credit database.
The attack came in through a third-party application connected to its U.S. consumer support systems.
Attackers used social engineering to trick their way in, not by exploiting Salesforce itself, but by targeting the integrations tied to it. Think OAuth-connected apps (a standard that lets apps connect and share limited data securely without exposing your password) with more permissions than they really need.
Once inside, they had a backdoor to sensitive consumer data.
The group behind it? ShinyHunters, working as part of a broader campaign that also hit Google, Cisco, Farmers Insurance, and others. Their focus wasn’t breaking into core systems; it was hijacking the trust businesses place in third-party connections.
What they got access to was bad:
- Names, Social Security numbers, dates of birth
- Addresses, phone numbers, emails
- Customer support tickets and records
What they didn’t get: credit reports and the core credit database. That’s important, but it doesn’t soften the blow. SSNs don’t expire, and they don’t reset like a password. Once they’re exposed, the risk of identity theft lingers for years.
For context, the attackers claimed to have stolen 13 million records, tied to about 4.4 million unique consumers. That’s a lot of people who now have to worry about fraud alerts, credit freezes, and phishing attempts.
The bottom line: this wasn’t a one-off technical hiccup. It was part of a larger wave of Salesforce-related attacks in 2025 that preyed on weak vendor connections.
And it worked.
The third-party app problem
The TransUnion breach is a reminder of something most businesses already know but often overlook: your risk doesn’t stop at your own front door. It extends to every vendor, app, and integration you connect to your systems.
Third-party applications are designed to make life easier. They plug into CRMs, marketing tools, and cloud platforms to share data and automate work. But every one of those connections creates a new potential entry point.
Here’s the problem:
Many integrations run on OAuth, which means they can request broad permissions. Too often, those permissions aren’t reviewed or scaled back.
MFA isn’t always enforced on connected apps, which makes them easier to abuse if credentials are stolen or phished.
Logs and activity monitoring are limited, especially in SaaS environments where vendors control what you can see.
In TransUnion’s case, the attackers didn’t need to break into the credit database. They found a weaker link: a third-party app tied into Salesforce. That integration had just enough access to give them what they wanted.
This is exactly what makes third-party risk so tricky. You can have strong internal defenses, but if a vendor connection isn’t locked down, it can become the open door attackers are looking for.
The risks for businesses of all sizes
It’s tempting to look at a breach like TransUnion’s and think, “That’s a Fortune 500 problem, not mine.” The truth is, the same tactics that worked on them are just as effective against small and midsize businesses, sometimes even more so.
Most SMBs rely heavily on third-party tools. CRMs, HR platforms, cloud storage, and marketing automation. They’re all connected, and they all carry some level of access to sensitive data. That means attackers don’t have to brute force their way into your network; they just have to find the one vendor account that isn’t locked down.
Some of the most common weak points we see include:
- No MFA on third-party apps. If someone gets hold of a password, they’re in.
- Too many permissions. A single integration is often granted more access than it really needs.
- Old or forgotten accounts. Vendors or contractors whose logins were never fully revoked.
- No continuous monitoring. Without visibility into what third-party apps are doing, malicious activity can slip by unnoticed.
The reality is simple: you don’t need millions of records to make yourself a target. If your business holds customer data, financial information, or even just credentials to other platforms, you’re on the radar.
That’s why third-party risk management isn’t just for the biggest players; it’s something every business needs to take seriously.
What businesses can do to reduce third-party risk
The good news is, you don’t need to reinvent your entire security strategy to get a handle on third-party risk. The same fundamentals that protect your own systems apply to vendors and integrations too; you just need to make them part of your routine.
Start by auditing your integrations. Take stock of every third-party app connected to your environment, because chances are there are a few that no one really uses anymore but still have access. From there, make sure multi-factor authentication is enforced wherever possible. If an app supports it, turn it on, no exceptions.
Permissions are another area where businesses get tripped up. Most integrations are granted far more access than they need, which means more exposure if something goes wrong. Cutting those back to the bare minimum reduces the blast radius if a breach happens.
It’s also important to keep an eye on activity. Watch for unusual behavior in logs like large data pulls at odd hours or logins from unexpected locations, for example. Don’t forget to plan ahead. Build third-party apps into your incident response process so that if one gets compromised, you’re not scrambling to figure out what to do.
The TransUnion breach is proof that even with enterprise-level resources, vendors can still be the Achilles’ heel. If it can happen to them, it can happen to anyone. The businesses that stay ahead are the ones that treat vendor risk as business risk and lock it down before it becomes a problem.
Partnering to close the gaps
The TransUnion breach makes one thing clear: it’s not always your own systems that put you at risk. Sometimes the real threat comes through the connections you’ve built with trusted vendors and third-party apps.
That’s where we come in. At NTS, we don’t just help businesses protect what they already know about, we help uncover the blind spots that are easy to miss. From auditing third-party integrations and tightening access controls, to monitoring for suspicious activity and building vendors into your incident response plan, we make sure your security extends all the way through your supply chain.
Because the truth is, you don’t need to become a security expert to keep your business safe. You just need a partner who knows what to look for, how to lock it down, and how to step in fast if something does go wrong.
Ready to get proactive about third-party risk? Let’s talk.