Aura protects everyone at home, on every device. Get credit monitoring, identity theft protection, a VPN, password manager, and antivirus in one app.
On July 28, TransUnion confirmed a breach that exposed the personal information of 4.4 million U.S. consumers. State filings show that names, Social Security numbers, and birth dates were accessed through a third-party application connected to TransUnion’s consumer support operations.
The company reported that the incident was identified and contained within hours, and that its core credit database was not compromised. But “not compromised” does not mean “no risk.” Once an SSN and date of birth are leaked, you can’t change them like you would a password.
According to filings in Maine and Texas, the exposed data included identifiers that criminals routinely use to open new accounts, apply for loans, or invent synthetic identities. TransUnion says it’s notifying affected individuals and working with federal investigators. In a year already marked by attacks linked to Salesforce-connected applications, like Gmail’s most recent data breach, here’s your reminder on what to do if you were notified.
Confirm the alert is real
Scammers know that breach letters create a frenzy, and they use that panic to send fake notices by email, text, or even phone calls. A genuine notice from TransUnion will arrive by mail and include clear details about what data was involved, steps you can take, and maybe an activation code for free monitoring.
A fake notice may pressure you to click on a link, “verify your identity,” or download software. If you are unsure, ignore the message and instead check TransUnion’s official site or your state attorney general’s breach database.
Freeze your credit
Credit freezes are free, last as long as you want, and do not affect your credit score. You must contact each bureau individually to place the freeze. Each will give you a PIN or online account to lift it temporarily if you need to apply for credit.
If you anticipate taking out a loan or opening a new card, place a one-year fraud alert, which requires creditors to take extra steps to verify your identity.
Lock down existing accounts
Start with your most sensitive accounts — email, bank, and mobile carrier — and change those passwords first. Use long, unique combinations and store them in a password manager to avoid repeating logins. Then move on to shopping, utility, and social logins, and turn on multi-factor authentication (MFA) anywhere it's offered. This one step makes a stolen password far less useful to someone trying to break in.
Keep an eye on your credit
Check your credit reports weekly at AnnualCreditReport.com, where the three bureaus now provide permanent free access. Look closely for new accounts, hard inquiries, or incorrect personal information. Keep monitoring over time — stolen SSNs can resurface months or even years after a breach.
Report any suspicious activity
If you spot accounts you did not open or charges you cannot explain, take action right away. File an identity theft report at IdentityTheft.gov to get a personalized recovery plan and sample letters you can use to contact creditors. The Federal Trade Commission also has an identity theft hotline at 877-438-4338.
When the National Public Data breach was first reported last year, 2.9 billion records were said to have been compromised. Despite filing for bankruptcy in its aftermath, the site has now resurfaced under new ownership, is still searchable, and just as dangerous.
That’s why just locking down your credit or resetting passwords isn’t enough. Aura gives you ongoing monitoring: dark web scans, three-bureau monitoring, and identity recovery support. As a valued AICPA member, get up to 68% off today.**
**Based on standard pricing starting at $13/ for the Individual Plan.