Update From OneTrust on Klue Security Incident 

June 24, 2026

As we continue our investigation into the Klue supply chain incident, we want to share an update with additional details on what happened, the data potentially involved, and how OneTrust responded. 

What Happened?

A threat actor used a compromised a third-party integration used by OneTrust and many other companies (the Klue Battlecards app) to gain access to OAuth tokens for connecting Klue with third-party integrations, including Salesforce. The threat actor then used these credentials to access CRM-related data within Salesforce environments. 

This integration was used between OneTrust and Klue for CRM and sales intelligence purposes. It was not a customer-configured integration, was not connected to customer OneTrust tenants, and did not provide access into customer-managed OneTrust environments or workflows.

Salesforce has communicated that the unauthorized activity occurred between June 11, 2026 and June 12, 2026.

What Did OneTrust Do?

Upon discovery of the incident, OneTrust immediately disabled the Klue Battlecards integration to prevent further unauthorized access through the compromised integration. OneTrust also:

• Blocked known malicious IP addresses and related indicators of compromise across OneTrust security tooling and monitoring platforms.
• Engaged external incident response and forensic specialists to support containment validation, threat hunting, and forensic investigation activities.
• Initiated a detailed analysis of Salesforce API activity and associated log data to reconstruct the threat actor activity and determine the specific records accessed during the incident window.
• Opened an escalation case with Salesforce to support investigation efforts and assist with identification of potentially accessed data.
• Revoked and reviewed integration-related access, including assessment of service accounts, OAuth-connected applications, and privileged integration permissions associated with Salesforce.

What Data Was Affected?

The information exposed was limited to standard business contact information and related CRM data (such as company, name, email, phone number, title, website, industry, region, amount of deal, lost comments, lead source, type of customer, and billing and shipping addresses), as well as records related to support emails. 

There is currently no evidence that passwords, payment card information, customer data processed within the OneTrust platform, or customer tenants were exposed. 

Can I Get Access to the Data Exposed?

OneTrust will be as transparent as possible, however in our role as data controller we are unable to share certain impacted fields containing PII for individuals without consent from those individuals due to privacy considerations.

What Our Customers Can Do

Given that the potentially exposed information includes names, email addresses, and phone numbers, we recommend customers monitor for any unexpected or suspicious communications, particularly those referencing OneTrust, and verify the authenticity of any requests before responding or sharing information.

If OneTrust identifies any customer-specific remediation or follow-up actions, those customers will be contacted directly.

We will continue to provide updates as the investigation progresses. If you need additional support, please reach out to your appropriate contact at OneTrust or contact our support team here.