TransUnion says that more than 4.4M people’s data has been exposed in a hack by an unknown threat actor.
The credit bureau posted a letter to the Maine attorney general’s website revealing it had “recently experienced a cyber incident involving a third-party application serving our US consumer support operations.” The breach occurred on July 28 and was discovered on July 30.
The third-party application was not disclosed, but it comes amid a wave of big-name companies – many of them Salesforce customers – recently being subjected to waves of compromises, often through the use of ‘social engineering’ techniques.
SF Ben note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published an article to help.
TransUnion Hack: What Happened?
In a statement, TransUnion said it had “quickly contained the issue, which did not involve our core credit database or include credit reports.”
Maine legally requires disclosures for certain kinds of breaches that affect its residents.
Salesforce told us that they do not comment on specific customer issues, but they encourage everyone to review their trust post on best practices for organizations to protect their Salesforce environments from social engineering threats.
Customers should make sure multi-factor authentication (MFA) is enabled, enforcing the principle of least privilege, and carefully manage connected applications.
“Importantly, the Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology,” Salesforce says.
“We know how disruptive and stressful these incidents can be, and our teams are fully engaged to support affected customers and help minimize any impact. If you have questions about your Salesforce security settings or need support, please reach out to Salesforce Support via the Help portal.”
In a notice to affected Maine residents, sent on August 26, TransUnion wrote: “We recently experienced a cyber incident involving a third-party application serving our U.S. consumer support operations. The unauthorized access includes some limited personal information belonging to you.
“We regret any concern caused by this incident and take seriously the responsibility to help secure consumer information. The information was limited to specific data elements and did not include credit reports or core credit information.”
Final Thoughts
Salesforce stresses that these incidents are not down to a vulnerability within their platform.
Google has posted a research blog on UNC6040 – the threat actor which has “consistently claimed to be the threat group ShinyHunters” – and how they impersonate IT support in convincing phone-based social engineering campaigns.
It is not known who is behind this incident, but security should be at the forefront of every Salesforce professional’s mind right now, it seems.
