OneDigital Investment Advisors LLC, an SEC-registered financial advisory firm, has disclosed a significant data breach affecting tens of thousands of customers across the United States. The breach exposed some of the most sensitive personal and financial information a company can hold: Social Security numbers and financial account data.
The attack targeted Drift, an online chat application managed by Salesloft that was integrated with OneDigital's Salesforce customer relationship management (CRM) platform. Attackers exploited a vulnerability in the connection between these two third-party systems, gaining access to a wide range of client records stored within OneDigital's Salesforce environment. The firm says its own internal networks were not directly compromised.
Timeline of the Breach
- August 12-18, 2025: Unauthorized actors access and copy OneDigital client data stored in Salesforce via the compromised Drift application.
- August 22, 2025: Salesforce notifies OneDigital of a potential security event involving the Drift integration.
- December 22, 2025: OneDigital officially records its "breach discovery date" - roughly four months after first being alerted by Salesforce.
- April 8-10, 2026: OneDigital begins mailing breach notification letters and files disclosures with multiple state Attorneys General, including Texas, Maine, Massachusetts, New Hampshire, and California. Victims learn of the breach nearly eight months after their data was stolen.
Why does the timeline matter? In many data breach lawsuits, the gap between when a company learns of a breach and when it notifies victims is central to claims of negligence. Here, Salesforce alerted OneDigital in August 2025, yet victims did not receive letters until April 2026. That delay may be legally significant.
What Information Was Exposed?
According to disclosures filed with multiple state Attorneys General, the data exposed in the OneDigital breach varied by individual but included:
- Full legal names
- Social Security numbers
- Financial account information (account numbers, credit or debit card numbers)
This combination of financial and identity data represents among the highest-risk categories of personal information exposure. Social Security numbers cannot be changed, making victims permanently vulnerable to identity theft, fraudulent tax filings, unauthorized account openings, and medical identity theft.
Who Is OneDigital Investment Advisors?
OneDigital Investment Advisors LLC is the investment advisory arm of a larger insurance, financial services, and HR consulting firm. The company is SEC-registered and manages assets for thousands of individual and employer clients across all 50 states.
The breach affected 28,414 clients across multiple states. Disclosures were filed with the Attorneys General in Texas, Maine, Massachusetts, New Hampshire, and California.
Do You Have Legal Options?
If you received a breach notification letter from OneDigital Investment Advisors, you may have the right to seek financial compensation. Our data breach lawyers have successfully pursued claims against companies for:
- Failing to adequately secure sensitive client information
- Unreasonable delays in notifying victims after learning of the breach
- Storing unnecessary sensitive data without adequate safeguards
- Failure to properly vet or monitor third-party vendors like Salesforce and Drift
- Harm caused by the exposure, including time spent on remediation, credit monitoring costs, and emotional distress
OneDigital has acknowledged that it is "reviewing our policies, procedures, and processes related to the storage of sensitive information." That admission, combined with the months-long delay in notifying victims, is the kind of evidence that data breach attorneys investigate when building a case.
Multiple law firms have already announced investigations into the OneDigital breach, and class action lawsuits are being actively explored on behalf of affected individuals.
What OneDigital Is Offering - And Why You Should Talk to an Attorney First
OneDigital is offering 12 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks, including $1 million in identity theft insurance. Enrollment must be completed by June 30, 2026.
Before you enroll, speak with an attorney. Accepting services offered by the company responsible for a breach can complicate your legal case. It may be used to argue that your damages were mitigated or that you accepted a form of compensation, potentially reducing what you are owed.
A data breach lawsuit, if successful, can result in compensation that goes far beyond what credit monitoring provides, including damages for out-of-pocket losses, time and effort spent protecting yourself, and the ongoing risk to which you have been exposed. An attorney can advise you on the best course of action before any deadlines pass.
Steps to Take Right Now
- Place a free credit freeze with all three bureaus: Equifax, Experian, and TransUnion.
- Review your financial accounts and credit reports for any unauthorized activity.
- Change passwords on financial accounts, especially any linked to OneDigital.
- Enable two-factor authentication on email and banking accounts.
- Keep your breach notification letter. It is important documentation if you pursue legal action.
- Contact an attorney before enrolling in any services offered by OneDigital. Accepting credit monitoring or identity protection from the breached company may affect your legal options. Speak with a lawyer first.
Frequently Asked Questions
How do I know if I was affected by the OneDigital data breach? OneDigital began mailing notification letters on April 8, 2026, via U.S. Mail. If you are or were a OneDigital Investment Advisors client and received a letter, your information was exposed. If you believe you are a client and have not received a letter, contact OneDigital directly or consult an attorney.
Is there a deadline to file a lawsuit? Yes. Data breach claims are subject to statutes of limitations that vary by state. In many states, the clock starts when you received or should have received notice of the breach. Given that notices went out in April 2026, it is important to consult an attorney as soon as possible to preserve your options.
Does joining a class action lawsuit cost anything? Typically no. Most data breach class action attorneys work on a contingency basis, meaning you pay nothing unless the case results in a settlement or verdict. There is no financial risk to getting a free case evaluation.
What if my information has not been misused yet? You may still have legal standing even if you have not yet experienced identity theft or fraud. Courts have increasingly recognized that the exposure of sensitive data, and the ongoing risk it creates, constitutes compensable harm. An attorney can assess your specific situation.
Is OneDigital responsible if the breach happened through a third party? Potentially, yes. Companies have a legal obligation to exercise reasonable care in selecting and monitoring the vendors they entrust with client data. If OneDigital failed to properly vet or oversee its integrations, it may be held liable for the resulting harm even though the attack originated through a third party.
Speak With a Data Breach Attorney Today
Our firm is actively reviewing claims related to the OneDigital Investment Advisors breach. Consultations are free and confidential. Contact us today to get started.