T
Threats
SentinelOne Confirms Klue Supply Chain Incident Contained to Salesforce

Secure ISS is proactively sharing SentinelOne's update on the Klue supply chain incident, in the interest of transparency and good security hygiene. For awareness only, no action required.
Overview
Advisory Type: Supply Chain / Third-Party Incident Notification
Date: 9 July 2026
Vendor: SentinelOne
On 12 June 2026, Klue identified unauthorised activity affecting part of its integration infrastructure. Its investigation found that an attacker used a compromised legacy credential tied to an integration service to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce, and then accessed data within a number of connected customer environments. Klue reports the incident was limited to those third-party platforms, with no evidence that customer content stored within the Klue platform itself was affected.
SentinelOne has since self-reported and completed its own forensic investigation, with findings independently verified by a third-party forensic vendor. Consistent with the experience of other organisations affected by the Klue incident, the impact on SentinelOne was limited entirely to its Salesforce environment, through the API integration it had established with Klue. SentinelOne found no evidence of lateral movement into its own systems, and confirmed the incident did not affect its core products, cloud infrastructure, or production environments. Its services remained fully secure, operational, and uninterrupted throughout.
What SentinelOne Has Confirmed
The forensic investigation is complete and has been independently verified by a third-party forensic vendor.
Impact was contained entirely within SentinelOne's Salesforce environment, via the Klue API integration.
There was no lateral movement into SentinelOne's systems.
Core products, cloud infrastructure, and production environments were not affected.
SentinelOne's services remained secure, operational, and uninterrupted.
Analysis of the data involved remains ongoing. This is separate from any direct notification SentinelOne may issue if a specific organisation's data is found to be affected.
Recommended Actions
No immediate technical action is required. SentinelOne agents, consoles, and protection are unaffected.
If required for your vendor-risk or compliance records, you can request an attestation of the third-party forensic vendor's findings directly from SentinelOne via the SentinelOne Portal.
Be aware that SentinelOne's data analysis is ongoing. If your organisation's data is found to be affected, SentinelOne has advised it will notify you directly through a separate process.
Reference
SentinelOne Partner Notification: Klue security incident update
SentinelOne Customer/Partner Portal (to request the forensic attestation)
Need help?
Please get in touch on 1300 769 460 or email us. We are here to help you strengthen your cybersecurity posture.
