Published
March 31, 2026
Updated
June 19, 2026
Allegations Only · No Settlement Yet
This article describes class action complaints arising from the 2025 Salesforce-customer data breaches. The statements below are unproven allegations. None of the named companies has been found liable, no class has been certified, and there is nothing to claim at this time. This page is informational and is not legal advice.
A wave of voice-phishing attacks on Salesforce customers turned dozens of household-name brands into data-breach defendants — and if you got a notice from Louis Vuitton, TransUnion, Allianz, or Farmers, your name and Social Security number may already be in the litigation.
Status
Litigation Ongoing
TransUnion cases consolidated as MDL No. 3170 (N.D. Ill.)
People Affected
Millions
TransUnion alone ~4.4M · Louis Vuitton 419,000+ · 300–400 companies estimated
Can I Claim?
No — nothing to claim yet
No settlements reached; cases in consolidated pretrial proceedings
The U.S. Judicial Panel on Multidistrict Litigation ruled on the resulting litigation in December 2025, denying a broad multi-defendant Salesforce MDL (MDL No. 3164) but approving consolidation of TransUnion-specific cases into MDL No. 3170 in the Northern District of Illinois. Meanwhile, lawsuits against Louis Vuitton continue to mount in the Southern District of New York, and litigation hubs have formed in several federal courts across the country.
June 2026 Litigation Update
The Salesforce-related data breach litigation has advanced substantially since the cases were first filed. On May 12, 2026, U.S. District Judge Analisa Torres consolidated six Louis Vuitton data breach class actions under the caption In re Louis Vuitton North America, Inc. Data Breach Litigation, lead Case No. 1:25-cv-07109. The court appointed interim plaintiffs' leadership and set June 11, 2026, as the deadline for a consolidated complaint, with Louis Vuitton's response due 45 days after that complaint is filed.The TransUnion litigation also continues to expand. According to the U.S. Judicial Panel on Multidistrict Litigation's June 1, 2026, report, MDL No. 3170 now contains 63 pending actions and 67 total historical actions before Judge Robert W. Gettleman in the Northern District of Illinois. Interim class counsel has been appointed and coordinated pretrial proceedings are underway.
Separately, Salesforce filed a motion on May 22, 2026, seeking dismissal of the consolidated class action complaint pending against it in In re Salesforce Customers Security Incident Litigation, No. 3:25-cv-07232-JSC, in the Northern District of California. A hearing on that motion is scheduled for October 29, 2026, before Judge Jacqueline Scott Corley.
The Farmers Insurance cases are now proceeding as a consolidated action, In re Farmers Security Incident Litigation, master Case No. 2:25-cv-07972, in the Central District of California, rather than merely awaiting consolidation — additional cases were folded into that proceeding in January 2026. The Allianz Life litigation has likewise established a plaintiffs' leadership structure in In re Allianz Life Insurance Company of North America Data Incident Litigation, with additional proposed class actions continuing to enter the proceeding through early March 2026.
No settlement, compensation fund, claim form, or claims deadline has been announced in any of these proceedings. Consumers do not currently need to submit a claim. The litigation has moved into consolidated pleadings, motions to dismiss, leadership appointments, and discovery planning.
How the Salesforce Breaches Happened
The breaches did not stem from a vulnerability in Salesforce's own platform. Instead, threat actors used social engineering — specifically voice phishing, or "vishing" — to impersonate IT support staff and trick employees at Salesforce customer companies into installing a malicious version of Salesforce's Data Loader tool. This gave the attackers access to sensitive customer data by abusing OAuth authentication tokens to bypass traditional security controls.The cybercriminal group behind the campaign, tracked by Google's Threat Intelligence Group as UNC6040 and publicly associated with the ShinyHunters collective, targeted companies across multiple industries including technology, retail, aviation, and insurance. In ransom messages sent to victims, the attackers claimed to have compromised data from more than 90 organizations worldwide. By early 2026, security researchers estimated between 300 and 400 companies may have been affected across multiple waves of attacks.
On March 12, 2025, Salesforce published a blog warning its customers about the social engineering threat and outlining proactive security measures. Plaintiffs in multiple lawsuits allege that companies like Louis Vuitton and TransUnion failed to heed those warnings or implement available safeguards such as restricting network access, enabling multi-factor authentication, and using security tools available through Salesforce Shield.
Louis Vuitton Data Breach: What Happened
Louis Vuitton North America disclosed a data breach impacting more than 419,000 customers. The breach was initially identified on June 7, 2025, but Louis Vuitton did not begin notifying affected customers by mail until August 22, 2025 — a delay that plaintiffs allege violated data breach notification laws in states like Texas and Washington, which require disclosure within 30 days.The compromised data included names, contact information, dates of birth, driver's license numbers, and partial Social Security numbers. Louis Vuitton stated that no payment information was involved in the breach.
Multiple class action lawsuits have been filed against Louis Vuitton in the Southern District of New York. Among them is Butler-Adams v. Louis Vuitton North America, Inc. (Case No. 1:25-07109) and Miamen, et al. v. Louis Vuitton North America, Inc. (Case No. 1:25-07183). A more recent lawsuit, Winkler, et al. v. Louis Vuitton North America Inc. (Case No. 1:26-cv-00702), alleges the company was negligent in failing to implement basic data security practices despite specific warnings from Salesforce and Google about the ShinyHunters threat.
The Winkler complaint claims Louis Vuitton is guilty of negligence and breach of implied contract and violated the Maryland Consumer Protection Act. On May 12, 2026, Judge Analisa Torres consolidated six of these actions under the caption In re Louis Vuitton North America, Inc. Data Breach Litigation (lead Case No. 1:25-cv-07109), appointed interim plaintiffs' leadership, and set June 11, 2026, as the deadline for a consolidated complaint, with Louis Vuitton's response due 45 days afterward.
TransUnion Data Breach: 4.4 Million Affected
TransUnion, one of the three major U.S. credit reporting agencies, disclosed that approximately 4.4 million individuals had their personal information compromised when threat actors executed a social engineering attack on July 28 and 29, 2025. The attackers posed as help desk technicians to gain access to a segment of TransUnion's Salesforce environment.The exposed data included names, dates of birth, and Social Security numbers — precisely the kind of information that makes identity theft and financial fraud possible.
The TransUnion litigation rapidly expanded to more than 50 lawsuits filed in five federal district courts. On October 3, 2025, TransUnion moved for centralization, and on December 16, 2025, the Judicial Panel on Multidistrict Litigation transferred the cases to the Northern District of Illinois under MDL No. 3170 (In re: Trans Union, LLC, Customer Data Security Breach Litigation). Judge Robert W. Gettleman was selected as the transferee judge.
As of the JPML's June 1, 2026, report, MDL No. 3170 contains 63 pending actions and 67 total historical actions, with interim class counsel appointed and coordinated pretrial proceedings underway. Plaintiffs are seeking both monetary damages and injunctive relief, including enhanced encryption, vendor oversight, and real-time audits of third-party environments.
The Federal Panel's December 2025 Ruling
The December 16, 2025, ruling by the U.S. Judicial Panel on Multidistrict Litigation addressed two competing motions for consolidation:MDL No. 3164 — Salesforce MDL (DENIED): Plaintiffs in five actions sought to centralize 41 cases involving data theft from multiple Salesforce customers into a single multi-defendant MDL in the Northern District of California. The Panel found that the actions presented few common questions of fact because each breach involved a separate social engineering attack on a different Salesforce customer. Different facts would emerge for each defendant regarding how the attack was conducted, which employee was involved, what procedures were in place, and what types of data were compromised. Neither Salesforce nor any of its customer defendants supported the proposed MDL.
MDL No. 3170 — TransUnion MDL (GRANTED): The Panel found that the 54 cases against TransUnion arising from the same data breach presented common factual questions about TransUnion's duties, the mechanics of the social engineering attack, the adequacy of TransUnion's security procedures, and its response to the breach. With cases pending in five districts and self-organization proving unsuccessful, the Panel transferred the cases to the Northern District of Illinois, where TransUnion is headquartered and the majority of cases were already pending.
The Panel noted that litigation hubs had naturally emerged for each Salesforce-customer defendant: the Northern District of Illinois for TransUnion, the District of Minnesota for Allianz, the Central District of California for Farmers Insurance, the Northern District of California for Salesforce, and the Southern District of New York for Louis Vuitton.
Other Companies Affected
The Salesforce-related breach campaign extended well beyond Louis Vuitton and TransUnion. Other named victims include:• Allianz Life Insurance Company of North America: Lawsuits in the District of Minnesota now organized as In re Allianz Life Insurance Company of North America Data Incident Litigation, with a plaintiffs' leadership committee appointed and additional proposed class actions continuing to be filed through early March 2026.
• Farmers Insurance Exchange: Cases in the Central District of California now proceeding as a consolidated action, In re Farmers Security Incident Litigation (master Case No. 2:25-cv-07972), with additional cases folded in during January 2026.
• Christian Dior / Tiffany & Co.: Other LVMH subsidiaries that were also reportedly compromised in the same attack campaign.
• Workday, Pandora: Named as defendants in some of the multi-defendant complaints. Both opposed inclusion in a Salesforce MDL.
Security researchers estimate that the ShinyHunters group may have compromised between 300 and 400 companies total across multiple waves of attacks in 2025 and early 2026, making this one of the most wide-reaching social engineering campaigns in history.
What Data Was Exposed
The types of personal information compromised varied by company, but across the affected organizations, exposed data reportedly included:• Full names
• Dates of birth
• Social Security numbers
• Driver's license numbers
• Contact information (addresses, phone numbers, email addresses)
• Government-issued identification numbers
• Insurance policy information
• Credit reporting data
This type of personal information is precisely what identity thieves need to open fraudulent accounts, file false tax returns, and commit other forms of financial fraud.
What Consumers Can Do Now
If you received a data breach notification letter from Louis Vuitton, TransUnion, Allianz, Farmers Insurance, or another company affected by the Salesforce-related breaches, you should take the following steps:• Monitor your credit reports: Check your reports from all three bureaus (Equifax, Experian, and TransUnion) for unauthorized accounts or inquiries.
• Place a fraud alert or credit freeze: A fraud alert requires lenders to verify your identity before opening new accounts. A credit freeze prevents new accounts from being opened entirely.
• Enroll in identity theft protection: Many of the affected companies are offering free credit monitoring and identity protection services. Take advantage of these offers.
• Watch for phishing attempts: Scammers often use stolen personal data to craft convincing phishing emails and phone calls. Be cautious of unsolicited communications requesting personal information.
• Consult an attorney: If your personal information was compromised, you may be eligible to participate in a class action lawsuit. Multiple lawsuits are ongoing, and no settlements have been reached yet. An attorney can evaluate your eligibility for a free case review.
Current Status of the Litigation
As of June 2026, the Salesforce-related data breach litigation is active on multiple fronts:TransUnion (MDL No. 3170): 63 pending actions (67 total historical) consolidated before Judge Robert W. Gettleman in the Northern District of Illinois, per the JPML's June 1, 2026, report. Interim class counsel appointed; coordinated pretrial proceedings underway. No settlements have been reached.
Louis Vuitton: Six class actions consolidated on May 12, 2026, as In re Louis Vuitton North America, Inc. Data Breach Litigation (lead Case No. 1:25-cv-07109) before Judge Analisa Torres in the Southern District of New York. Interim leadership appointed; consolidated complaint due June 11, 2026. No settlements have been reached.
Allianz Life Insurance: Cases consolidated in the District of Minnesota with a plaintiffs' leadership committee appointed; additional actions continued to be filed through early March 2026.
Farmers Insurance: Cases proceeding as a consolidated action in the Central District of California (master Case No. 2:25-cv-07972), with additional cases folded in during January 2026.
Salesforce: Consolidated complaint pending in the Northern District of California (No. 3:25-cv-07232-JSC); Salesforce moved to dismiss on May 22, 2026, with a hearing set for October 29, 2026, before Judge Jacqueline Scott Corley.
The litigation is in its early stages across all fronts. Discovery, class certification motions, and any potential settlement negotiations are expected to take significant time.
Bottom Line
The 2025 Salesforce customer data breach campaign represents one of the largest coordinated social engineering attacks in recent history, with potentially hundreds of companies compromised and millions of consumers' personal data exposed. While the federal judicial panel declined to create a single massive Salesforce MDL, the litigation is far from over. TransUnion faces a consolidated MDL with 63 pending cases, Louis Vuitton's cases have been consolidated before a single judge, and litigation hubs have formed in federal courts across the country.Consumers who received breach notification letters should take immediate steps to protect their identities and monitor these legal developments closely. As the cases progress through discovery and toward potential class certification, the legal landscape for holding companies accountable for social engineering failures will continue to take shape.
Free settlement alerts
Get notified when new class actions open to claims
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.
About This Article
This article covers the class action litigation arising from the 2025 Salesforce customer data breaches, including MDL No. 3164 (denied) and MDL No. 3170 (granted), and lawsuits against Louis Vuitton, TransUnion, Allianz Life Insurance, and Farmers Insurance. All cases are in their early stages and no settlements have been reached. OpenClassActions.com covers class action lawsuits, settlements, and consumer legal developments. OpenClassActions.com is a consumer advocacy and class action news site, and is not a class action administrator or a law firm.
For more class actions keep scrolling below.
Status
Consolidated Pretrial · No Settlement
Lead MDL
In re: Trans Union, LLC, Customer Data Security Breach Litigation
MDL Number
MDL No. 3170
Court
U.S. District Court, Northern District of Illinois
Transferee Judge
Hon. Robert W. Gettleman
Consolidated
December 16, 2025
