[{"data":1,"prerenderedAt":143},["ShallowReactive",2],{"article-slug-onedigital-discloses-2025-supply-chain-breach-affecting-28000":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":32,"events":57,"mitre_techniques":70,"mitre_mitigations":86,"d3fend_countermeasures":100,"iocs":111,"cyber_observables":112,"tags":128,"extract_datetime":133,"article_type":134,"impact_scope":135,"pub_date":36,"reading_time_minutes":142,"createdAt":133,"updatedAt":133},"cb36835a-a7b2-46f8-be6e-4ec107658747","onedigital-discloses-2025-supply-chain-breach-affecting-28000","OneDigital Discloses Supply-Chain Breach from 2025, 28,000 Individuals Impacted","OneDigital Investment Advisors Reveals 2025 Data Breach Affecting 28,414 Clients via Third-Party Chat App","Financial advisory firm OneDigital Investment Advisors has disclosed a data breach that occurred in August 2025, impacting 28,414 individuals. The incident was a supply-chain attack stemming from a vulnerability in the Drift online chat application, which was integrated into their former CRM platform, Salesloft. The breach, which exposed sensitive data including names and Social Security numbers, was discovered after their current CRM provider, Salesforce, alerted them. The significant delay between the breach in August 2025 and the notification in April 2026 highlights the complex and often delayed discovery process in supply-chain security incidents.","## Executive Summary\n**OneDigital Investment Advisors**, a financial advisory firm, has begun notifying 28,414 individuals about a data breach that compromised their sensitive personal information, including names and Social Security numbers. The security incident was a supply-chain attack that occurred in August 2025. The point of entry was a vulnerability in the **Drift** online chat tool, which was integrated with OneDigital's former CRM platform, **Salesloft**. The breach was only discovered when the firm's current CRM provider, **[Salesforce](https://www.salesforce.com)**, detected suspicious activity. The eight-month delay between the breach and the notification underscores the persistent and latent risks associated with third-party software integrations and the challenges organizations face in maintaining visibility across their entire software supply chain.\n\n## Threat Overview\nThis incident is a clear example of a cascading supply-chain compromise. The vulnerability was not in OneDigital's own systems but in a third-party application integrated into another third-party platform they were using.\n\n**Timeline of Events:**\n- **August 12-18, 2025:** An unauthorized actor exploits a vulnerability in the Drift chat application. This allows them to access and copy client data stored within OneDigital's Salesforce environment, which was connected to Drift via the Salesloft platform.\n- **August 22, 2025:** Salesforce notifies OneDigital of a potential security event.\n- **February 2, 2026:** RMAP's forensic investigation concludes that a breach occurred. (Note: This date seems to be from a different article, the OneDigital article doesn't give a specific investigation conclusion date).\n- **April 8, 2026:** OneDigital begins mailing notification letters to the 28,414 affected individuals.\n\nThe compromised data includes highly sensitive PII:\n- Names\n- Social Security numbers\n\nOneDigital is offering 12 months of credit monitoring services to the victims, acknowledging the high risk of identity theft and fraud associated with the stolen data.\n\n## Technical Analysis\nThe attack vector was a vulnerability in a third-party component, a common pattern in supply-chain attacks.\n- **Compromise Software Supply Chain:** [`T1195.002 - Compromise Software Supply Chain`](https://attack.mitre.org/techniques/T1195/002/) - The attackers targeted Drift, a component in OneDigital's software stack, rather than OneDigital itself.\n- **Exploit Public-Facing Application:** [`T1190 - Exploit Public-Facing Application`](https://attack.mitre.org/techniques/T1190/) - The vulnerability was likely in the web-facing components of the Drift chat application or its integration APIs.\n- **Data from Information Repositories:** [`T1213 - Data from Information Repositories`](https://attack.mitre.org/techniques/T1213/) - The goal was to access and steal data from the CRM, a key information repository.\n- **Valid Accounts: Cloud Accounts:** [`T1078.004 - Cloud Accounts`](https://attack.mitre.org/techniques/T1078/004/) - The exploit may have granted the attacker access via the service account or API keys used to connect Drift to Salesforce.\n\n## Impact Assessment\n- **Significant Delayed Risk:** The 28,414 victims have had their SSNs exposed for over eight months without their knowledge, putting them at prolonged risk of identity theft and financial fraud.\n- **Regulatory Consequences:** The long delay in notification could lead to regulatory penalties and legal action, particularly under state data breach notification laws like the one in Maine where the breach was filed.\n- **Loss of Client Trust:** For a financial advisory firm, the trust of its clients is its most valuable asset. A breach involving SSNs, coupled with a long notification delay, can be devastating to client relationships.\n- **Complex Liability:** This incident creates a complex web of liability between OneDigital, Salesforce, Salesloft, and Drift, which will likely result in costly legal and contractual disputes.\n\n## Cyber Observables for Detection\nDetecting such an attack requires deep visibility into API traffic and third-party application behavior.\n| Type | Value | Description |\n|---|---|---|\n| log_source | Salesforce Event Monitoring Logs | Look for anomalous API activity from the service account associated with the Drift/Salesloft integration, such as accessing an unusually large number of records. |\n| api_endpoint | `*.salesforce.com/services/data/vXX.X/query` | Monitor for SOQL queries from the integrated app that are broader than necessary (e.g., `SELECT Name, SSN__c FROM Contact`) when the app should only be accessing names. |\n| user_account_pattern | API key usage from unknown IPs | If the integration's API key is used from an IP address not associated with Drift or Salesloft's infrastructure, it is a major red flag. |\n\n## Detection & Response\n- **D3FEND: Cloud Service Monitoring:** Implement comprehensive monitoring for SaaS platforms like Salesforce. Utilize native tools like Salesforce Shield Event Monitoring to create alerts for anomalous data access patterns from integrated applications. This aligns with [`D3-CSM: Cloud Service Monitoring`](https://d3fend.mitre.org/technique/d3f:CloudServiceMonitoring).\n- **API Security:** Deploy API security tools that can analyze traffic between integrated applications, baseline normal behavior, and detect threats like data exfiltration or abuse of API keys.\n- **Supply Chain Intelligence:** Subscribe to threat intelligence feeds that specifically cover vulnerabilities and breaches in the third-party software and SaaS applications your organization uses.\n\n## Mitigation\n- **Vendor Risk Management:** Conduct thorough security reviews of all third-party applications before integration. This must include an analysis of the data they will access and the permissions they require.\n- **Principle of Least Privilege for APIs:** When configuring an integration, grant the API key or service account the absolute minimum permissions required. The Drift chat app should not have had permissions to read the Social Security Number field in Salesforce.\n- **Data Minimization:** Do not store sensitive data in systems where it is not absolutely necessary. A key question to ask is why SSNs were accessible to a CRM that was integrated with a chat tool.\n- **D3FEND: Application Configuration Hardening:** Regularly audit the permissions of all integrated applications in your SaaS environments. Permissions can 'drift' over time, and what was once a secure configuration may become vulnerable. This maps to [`D3-ACH: Application Configuration Hardening`](https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening).","Delayed Disclosure: OneDigital reveals a supply-chain breach from Aug 2025 affecting 28k clients. Hackers exploited the Drift chat app to steal SSNs from Salesforce. ⛓️ #SupplyChainAttack #DataBreach #Salesforce #InfoSec","OneDigital Investment Advisors discloses a data breach from August 2025 where a supply-chain attack via the Drift chat app led to the compromise of 28,414 individuals' data, including SSNs.",[13,14,15],"Supply Chain Attack","Data Breach","Regulatory","high",[18,21,24,26,29],{"name":19,"type":20},"OneDigital Investment Advisors","company",{"name":22,"type":20,"url":23},"Salesforce","https://www.salesforce.com",{"name":25,"type":20},"Salesloft",{"name":27,"type":28},"Drift","product",{"name":30,"type":20},"Experian",[],[33,39,45,51],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.plansponsor.com/onedigital-latest-to-warn-clients-of-salesforce-data-breach/","OneDigital Latest to Warn Clients of Salesforce Data Breach","2026-04-14","PLANSPONSOR","plansponsor.com",{"url":40,"title":41,"date":42,"friendly_name":43,"website":44},"https://www.classaction.org/blog/onedigital-data-breach-affects-28k-attorneys-investigating","OneDigital Data Breach Affects 28K; Attorneys Investigating","2026-04-09","ClassAction.org","classaction.org",{"url":46,"title":47,"date":48,"friendly_name":49,"website":50},"https://apps.web.maine.gov/online/aeviewer/ME/40/2c85e8d2-45e0-40e9-b54c-5da3097b6f38.shtml","Data Breach Notifications - OneDigital Investment Advisors LLC","2026-04-08","Maine Attorney General","maine.gov",{"url":52,"title":53,"date":54,"friendly_name":55,"website":56},"https://www.wealthmanagement.com/ria-news/onedigital-warns-clients-alleged-salesforce-data-breach","OneDigital Warns Clients of Alleged Salesforce Data Breach","2026-04-10","WealthManagement.com","wealthmanagement.com",[58,61,64,67],{"datetime":59,"summary":60},"2025-08-12T00:00:00Z","Unauthorized actor begins accessing and copying client data.",{"datetime":62,"summary":63},"2025-08-18T00:00:00Z","Unauthorized access period ends.",{"datetime":65,"summary":66},"2025-08-22T00:00:00Z","Salesforce informs OneDigital of a potential security event.",{"datetime":68,"summary":69},"2026-04-08T00:00:00Z","OneDigital begins sending notification letters to affected individuals.",[71,75,78,82],{"id":72,"name":73,"tactic":74},"T1195.002","Compromise Software Supply Chain","Initial Access",{"id":76,"name":77,"tactic":74},"T1190","Exploit Public-Facing Application",{"id":79,"name":80,"tactic":81},"T1213","Data from Information Repositories","Collection",{"id":83,"name":84,"tactic":85},"T1078.004","Valid Accounts: Cloud Accounts","Defense Evasion",[87,92,96],{"id":88,"name":89,"description":90,"domain":91},"M1054","Software Configuration","Apply the principle of least privilege to API integrations, ensuring third-party apps cannot access sensitive data they don't need.","enterprise",{"id":93,"name":94,"description":95,"domain":91},"M1016","Vulnerability Scanning","Implement a robust third-party risk management program that includes security assessments of all integrated software.",{"id":97,"name":98,"description":99,"domain":91},"M1047","Audit","Leverage SaaS monitoring tools to audit API activity and detect anomalous data access patterns.",[101,106],{"technique_id":102,"technique_name":103,"url":104,"recommendation":105,"mitre_mitigation_id":88},"D3-SPM","SaaS Posture Management","https://d3fend.mitre.org/technique/d3f:SaaSPostureManagement","To prevent supply-chain breaches like the one at OneDigital, organizations must adopt a proactive SaaS Security Posture Management (SSPM) strategy. This goes beyond initial vendor vetting. For the Salesforce environment, an SSPM tool should be used to continuously scan for misconfigurations and excessive permissions granted to integrated third-party apps like Drift/Salesloft. The tool should have immediately flagged that a chat application had been granted API access to a field containing Social Security Numbers (`SSN__c`). This is a critical policy violation. A proper SSPM program would automatically alert security teams to this 'privilege creep' and provide a workflow for remediation, which involves modifying the integration's permission set in Salesforce to remove access to all sensitive fields. This automated, continuous governance is essential to managing the risk of dozens or hundreds of interconnected SaaS applications.",{"technique_id":107,"technique_name":108,"url":109,"recommendation":110,"mitre_mitigation_id":97},"D3-CSM","Cloud Service Monitoring","https://d3fend.mitre.org/technique/d3f:CloudServiceMonitoring","For detective control, continuous Cloud Service Monitoring is vital. OneDigital should have been ingesting Salesforce Shield Event Monitoring logs into their SIEM. Specifically, the `ApiEvent` and `DataExportEvent` log types are critical. A detection rule should have been in place to monitor the service account associated with the Drift integration. This rule would baseline normal activity (e.g., 'accesses 10-20 contact records per hour, never reads SSN__c field') and alert on any significant deviation. The attacker's activity—accessing over 28,000 records and specifically querying the SSN field—would have represented a massive anomaly. A well-configured detection rule, such as 'Alert if service account `svc_drift` accesses more than 100 records in an hour OR if `ApiEvent.Query` contains `SSN__c`', could have detected the breach in August 2025, rather than relying on a notification from another vendor months later.",[],[113,118,123],{"type":114,"value":115,"description":116,"context":117,"confidence":16},"log_source","Salesforce Event Monitoring (ApiEvent)","Monitor for an integrated application's service account accessing an unusually high number of records or accessing sensitive fields it doesn't normally touch.","Cloud SIEM, SaaS Security Posture Management (SSPM)",{"type":119,"value":120,"description":121,"context":122,"confidence":16},"user_account_pattern","Anomalous API key usage","API key activity from unexpected IP ranges or geographic locations indicates the key may have been compromised and is being used outside the legitimate vendor's infrastructure.","Cloud security logs, API gateway logs",{"type":124,"value":125,"description":126,"context":127,"confidence":16},"string_pattern","SELECT Id, Name, Social_Security_Number__c FROM Contact","An API query from a chat application that requests Social Security Numbers is a major policy violation and a strong indicator of misconfiguration or abuse.","Salesforce event logs, API security tool",[13,14,129,22,27,130,131,132],"OneDigital","Delayed Disclosure","PII","SSN","2026-04-14T15:00:00.000Z","NewsArticle",{"geographic_scope":136,"countries_affected":137,"industries_affected":139,"people_affected_estimate":141},"national",[138],"United States",[140],"Finance","28,414",7,1776260640876]