What happened in the Salesforce data breach?

In 2025, threat actors used social engineering attacks — including voice phishing (vishing) — to trick employees at Salesforce customer companies into granting access to their Salesforce databases. The attacks compromised customer data at companies including Louis Vuitton, TransUnion, Allianz Life Insurance, and Farmers Insurance. The cybercriminal group ShinyHunters has been linked to the campaign.

Is there a class action lawsuit against Louis Vuitton for the data breach?

Yes. Multiple class action lawsuits have been filed against Louis Vuitton North America in the Southern District of New York alleging the company failed to protect consumers' personal information — including names, dates of birth, driver's license numbers, and partial Social Security numbers — from the Salesforce-related data breach.

How many people were affected by the TransUnion data breach?

TransUnion disclosed that approximately 4.4 million individuals had their personal information compromised in the breach, including names, dates of birth, and Social Security numbers.

Can I join the Salesforce data breach class action?

If you received a data breach notification letter from Louis Vuitton, TransUnion, Allianz Life Insurance, Farmers Insurance, or another Salesforce customer company, you may be eligible to participate in a class action lawsuit. Litigation is ongoing and no settlements have been reached. Consult with an attorney for a free case evaluation.

Salesforce Data Breach Class Action: Louis Vuitton, TransUnion, and Dozens of Companies Hit by Social Engineering Attacks

Q: What is MDL No. 3170?

MDL No. 3170 is the federal multidistrict litigation consolidating class action lawsuits related to the TransUnion data breach. The U.S. Judicial Panel on Multidistrict Litigation transferred the cases to the Northern District of Illinois in December 2025 under Judge Robert W. Gettleman. As of March 2026, there are approximately 60 pending actions.

By Steve Levine

Salesforce Data Breach Class Action Louis Vuitton TransUnion 2025

Published: March 31, 2026

A massive wave of social engineering attacks targeting Salesforce customers throughout 2025 has triggered dozens of class action lawsuits against some of the biggest names in finance, insurance, and luxury retail. The cybercriminal group known as ShinyHunters used voice phishing to trick employees into granting access to Salesforce databases at companies including Louis Vuitton North America, TransUnion, Allianz Life Insurance, and Farmers Insurance — exposing the personal data of millions of consumers.

The U.S. Judicial Panel on Multidistrict Litigation ruled on the resulting litigation in December 2025, denying a broad multi-defendant Salesforce MDL (MDL No. 3164) but approving consolidation of TransUnion-specific cases into MDL No. 3170 in the Northern District of Illinois. Meanwhile, lawsuits against Louis Vuitton continue to mount in the Southern District of New York, and litigation hubs have formed in several federal courts across the country.

How the Salesforce Breaches Happened

The breaches did not stem from a vulnerability in Salesforce's own platform. Instead, threat actors used social engineering — specifically voice phishing, or "vishing" — to impersonate IT support staff and trick employees at Salesforce customer companies into installing a malicious version of Salesforce's Data Loader tool. This gave the attackers access to sensitive customer data by abusing OAuth authentication tokens to bypass traditional security controls.

The cybercriminal group behind the campaign, tracked by Google's Threat Intelligence Group as UNC6040 and publicly associated with the ShinyHunters collective, targeted companies across multiple industries including technology, retail, aviation, and insurance. In ransom messages sent to victims, the attackers claimed to have compromised data from more than 90 organizations worldwide. By early 2026, security researchers estimated between 300 and 400 companies may have been affected across multiple waves of attacks.

On March 12, 2025, Salesforce published a blog warning its customers about the social engineering threat and outlining proactive security measures. Plaintiffs in multiple lawsuits allege that companies like Louis Vuitton and TransUnion failed to heed those warnings or implement available safeguards such as restricting network access, enabling multi-factor authentication, and using security tools available through Salesforce Shield.

Louis Vuitton Data Breach: What Happened

Louis Vuitton North America disclosed a data breach impacting more than 419,000 customers. The breach was initially identified on June 7, 2025, but Louis Vuitton did not begin notifying affected customers by mail until August 22, 2025 — a delay that plaintiffs allege violated data breach notification laws in states like Texas and Washington, which require disclosure within 30 days.

The compromised data included names, contact information, dates of birth, driver's license numbers, and partial Social Security numbers. Louis Vuitton stated that no payment information was involved in the breach.

Multiple class action lawsuits have been filed against Louis Vuitton in the Southern District of New York. Among them is Butler-Adams v. Louis Vuitton North America, Inc. (Case No. 1:25-07109) and Miamen, et al. v. Louis Vuitton North America, Inc. (Case No. 1:25-07183). A more recent lawsuit, Winkler, et al. v. Louis Vuitton North America Inc. (Case No. 1:26-cv-00702), alleges the company was negligent in failing to implement basic data security practices despite specific warnings from Salesforce and Google about the ShinyHunters threat.

The Winkler complaint claims Louis Vuitton is guilty of negligence and breach of implied contract and violated the Maryland Consumer Protection Act. Four of the five actions against Louis Vuitton in the Southern District of New York have already been designated as related and assigned to the same judge.

TransUnion Data Breach: 4.4 Million Affected

TransUnion, one of the three major U.S. credit reporting agencies, disclosed that approximately 4.4 million individuals had their personal information compromised when threat actors executed a social engineering attack on July 28 and 29, 2025. The attackers posed as help desk technicians to gain access to a segment of TransUnion's Salesforce environment.

The exposed data included names, dates of birth, and Social Security numbers — precisely the kind of information that makes identity theft and financial fraud possible.

The TransUnion litigation rapidly expanded to more than 50 lawsuits filed in five federal district courts. On October 3, 2025, TransUnion moved for centralization, and on December 16, 2025, the Judicial Panel on Multidistrict Litigation transferred the cases to the Northern District of Illinois under MDL No. 3170 (In re: Trans Union, LLC, Customer Data Security Breach Litigation). Judge Robert W. Gettleman was selected as the transferee judge.

As of March 2026, there are approximately 60 pending actions in the MDL. Plaintiffs are seeking both monetary damages and injunctive relief, including enhanced encryption, vendor oversight, and real-time audits of third-party environments. The litigation is in its early stages with pretrial proceedings underway.

The Federal Panel's December 2025 Ruling

The December 16, 2025, ruling by the U.S. Judicial Panel on Multidistrict Litigation addressed two competing motions for consolidation:

MDL No. 3164 — Salesforce MDL (DENIED): Plaintiffs in five actions sought to centralize 41 cases involving data theft from multiple Salesforce customers into a single multi-defendant MDL in the Northern District of California. The Panel found that the actions presented few common questions of fact because each breach involved a separate social engineering attack on a different Salesforce customer. Different facts would emerge for each defendant regarding how the attack was conducted, which employee was involved, what procedures were in place, and what types of data were compromised. Neither Salesforce nor any of its customer defendants supported the proposed MDL.

MDL No. 3170 — TransUnion MDL (GRANTED): The Panel found that the 54 cases against TransUnion arising from the same data breach presented common factual questions about TransUnion's duties, the mechanics of the social engineering attack, the adequacy of TransUnion's security procedures, and its response to the breach. With cases pending in five districts and self-organization proving unsuccessful, the Panel transferred the cases to the Northern District of Illinois, where TransUnion is headquartered and the majority of cases were already pending.

The Panel noted that litigation hubs had naturally emerged for each Salesforce-customer defendant: the Northern District of Illinois for TransUnion, the District of Minnesota for Allianz, the Central District of California for Farmers Insurance, the Northern District of California for Salesforce, and the Southern District of New York for Louis Vuitton.

Other Companies Affected

The Salesforce-related breach campaign extended well beyond Louis Vuitton and TransUnion. Other named victims include:

• Allianz Life Insurance Company of North America: More than 25 lawsuits filed in the District of Minnesota, all related before one judge.

• Farmers Insurance Exchange: Six lawsuits filed in the Central District of California, with Farmers Insurance seeking consolidation in that district.

• Christian Dior / Tiffany & Co.: Other LVMH subsidiaries that were also reportedly compromised in the same attack campaign.

• Workday, Pandora: Named as defendants in some of the multi-defendant complaints. Both opposed inclusion in a Salesforce MDL.

Security researchers estimate that the ShinyHunters group may have compromised between 300 and 400 companies total across multiple waves of attacks in 2025 and early 2026, making this one of the most wide-reaching social engineering campaigns in history.

What Data Was Exposed

The types of personal information compromised varied by company, but across the affected organizations, exposed data reportedly included:

• Full names
• Dates of birth
• Social Security numbers
• Driver's license numbers
• Contact information (addresses, phone numbers, email addresses)
• Government-issued identification numbers
• Insurance policy information
• Credit reporting data

This type of personal information is precisely what identity thieves need to open fraudulent accounts, file false tax returns, and commit other forms of financial fraud.

What Consumers Can Do Now

If you received a data breach notification letter from Louis Vuitton, TransUnion, Allianz, Farmers Insurance, or another company affected by the Salesforce-related breaches, you should take the following steps:

• Monitor your credit reports: Check your reports from all three bureaus (Equifax, Experian, and TransUnion) for unauthorized accounts or inquiries.

• Place a fraud alert or credit freeze: A fraud alert requires lenders to verify your identity before opening new accounts. A credit freeze prevents new accounts from being opened entirely.

• Enroll in identity theft protection: Many of the affected companies are offering free credit monitoring and identity protection services. Take advantage of these offers.

• Watch for phishing attempts: Scammers often use stolen personal data to craft convincing phishing emails and phone calls. Be cautious of unsolicited communications requesting personal information.

• Consult an attorney: If your personal information was compromised, you may be eligible to participate in a class action lawsuit. Multiple lawsuits are ongoing, and no settlements have been reached yet. An attorney can evaluate your eligibility for a free case review.

Current Status of the Litigation

As of March 2026, the Salesforce-related data breach litigation is active on multiple fronts:

TransUnion (MDL No. 3170): Approximately 60 pending actions consolidated before Judge Robert W. Gettleman in the Northern District of Illinois. Pretrial proceedings are underway. No settlements have been reached.

Louis Vuitton: Multiple class actions pending in the Southern District of New York, with new lawsuits continuing to be filed. Cases have been designated as related before one judge. No settlements have been reached.

Allianz Life Insurance: More than 25 lawsuits related before one judge in the District of Minnesota.

Farmers Insurance: Six lawsuits in the Central District of California, with consolidation being sought.

Salesforce: Several actions pending in the Northern District of California, with a January 2026 order granting consolidation of actions against Salesforce in that district.

The litigation is in its early stages across all fronts. Discovery, class certification motions, and any potential settlement negotiations are expected to take significant time.

Bottom Line

The 2025 Salesforce customer data breach campaign represents one of the largest coordinated social engineering attacks in recent history, with potentially hundreds of companies compromised and millions of consumers' personal data exposed. While the federal judicial panel declined to create a single massive Salesforce MDL, the litigation is far from over. TransUnion faces a consolidated MDL with 60 pending cases, Louis Vuitton continues to be hit with new class actions, and litigation hubs have formed in federal courts across the country.

Consumers who received breach notification letters should take immediate steps to protect their identities and monitor these legal developments closely. As the cases progress through discovery and toward potential class certification, the legal landscape for holding companies accountable for social engineering failures will continue to take shape.

How Do I Find Class Action Settlements?

Find all the latest class actions you can qualify for by getting notified of new lawsuits as soon as they are open to claims:

About This Article

This article covers the class action litigation arising from the 2025 Salesforce customer data breaches, including MDL No. 3164 (denied) and MDL No. 3170 (granted), and lawsuits against Louis Vuitton, TransUnion, Allianz Life Insurance, and Farmers Insurance. All cases are in their early stages and no settlements have been reached. OpenClassActions.com covers class action lawsuits, settlements, and consumer legal developments. OpenClassActions.com is a consumer advocacy and class action news site, and is not a class action administrator or a law firm.

For more class actions keep scrolling below.