T

Threats

SentinelOne Confirms Klue Supply Chain Incident Contained to Salesforce

Secure ISS is proactively sharing SentinelOne's update on the Klue supply chain incident, in the interest of transparency and good security hygiene. For awareness only, no action required.


Overview

Advisory Type: Supply Chain / Third-Party Incident Notification

Date: 9 July 2026

Vendor: SentinelOne


On 12 June 2026, Klue identified unauthorised activity affecting part of its integration infrastructure. Its investigation found that an attacker used a compromised legacy credential tied to an integration service to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce, and then accessed data within a number of connected customer environments. Klue reports the incident was limited to those third-party platforms, with no evidence that customer content stored within the Klue platform itself was affected.

SentinelOne has since self-reported and completed its own forensic investigation, with findings independently verified by a third-party forensic vendor. Consistent with the experience of other organisations affected by the Klue incident, the impact on SentinelOne was limited entirely to its Salesforce environment, through the API integration it had established with Klue. SentinelOne found no evidence of lateral movement into its own systems, and confirmed the incident did not affect its core products, cloud infrastructure, or production environments. Its services remained fully secure, operational, and uninterrupted throughout.


What SentinelOne Has Confirmed

  • The forensic investigation is complete and has been independently verified by a third-party forensic vendor.

  • Impact was contained entirely within SentinelOne's Salesforce environment, via the Klue API integration.

  • There was no lateral movement into SentinelOne's systems.

  • Core products, cloud infrastructure, and production environments were not affected.

  • SentinelOne's services remained secure, operational, and uninterrupted.

  • Analysis of the data involved remains ongoing. This is separate from any direct notification SentinelOne may issue if a specific organisation's data is found to be affected.


Recommended Actions

  • No immediate technical action is required. SentinelOne agents, consoles, and protection are unaffected.

  • If required for your vendor-risk or compliance records, you can request an attestation of the third-party forensic vendor's findings directly from SentinelOne via the SentinelOne Portal.

  • Be aware that SentinelOne's data analysis is ongoing. If your organisation's data is found to be affected, SentinelOne has advised it will notify you directly through a separate process.


Reference

Need help?

Please get in touch on 1300 769 460 or email us. We are here to help you strengthen your cybersecurity posture.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.