8x8, Inc. (Nasdaq: EGHT) disclosed a cybersecurity incident in a Form 8-K filed under Item 1.05, the Securities and Exchange Commission's mandatory line item for material cybersecurity incidents. According to the filing, the Campbell, California-based cloud communications company was informed on June 13, 2026 that an unauthorized third-party threat actor had exploited a third-party application integration connected to its Salesforce customer relationship management system. The company said the threat actor gained access and exfiltrated certain customer information from that environment.

The filing names the affected component precisely. 8x8 said the threat actor exploited "the Klue Labs, Inc. (“ Klue ”) third-party application programming integration connected to the Company's Salesforce, Inc. (“ Salesforce ”) customer relationship management system." The unauthorized access itself, per the company, occurred over a roughly two-day window before discovery. This is a third-party integration compromise narrative — the entry point the company describes is not its own core systems but a connected application sitting on top of its Salesforce tenant.

"On June 13, 2026, 8x8, Inc. (“ Company ” or “ we” ) was informed that an unauthorized third party threat actor exploited the Klue Labs, Inc. (“ Klue ”) third-party application programming integration connected to the Company's Salesforce, Inc. (“ Salesforce ”) customer relationship management system."— 8x8, Inc. Form 8-K, Item 1.05, source

What the filing says was taken

On scope, the company is specific about categories without quantifying the number of affected individuals. The 8-K states that the threat actor exfiltrated "certain competitively sensitive information about current, former and prospective customers of the Company, including fragmented contract and opportunity information, sales team notes, and contact information (names, business addresses, phone numbers and email addresses of the customers)." The filing characterizes the contract and opportunity data as "fragmented," and frames the records as business-to-business customer information — business addresses and business phone numbers rather than consumer-level personal data. The disclosure does not state how many customers or records were affected, and it does not identify any specific customer. Those details are not in the filing.

8x8 says the incident appears contained to one system. The company states that its investigation to date "indicates that this incident was isolated to information stored in 8x8’s Salesforce system that was accessible through the Klue integration." On response, the filing says that upon discovery, 8x8 and Klue, with support from Salesforce, "took immediate steps to disable the compromised integration and removed the unauthorized access," and that the company "has and continues to implement additional security measures to reduce the risk of similar unauthorized access in the future." The 8-K notes the investigation is ongoing: 8x8 says it continues to investigate the extent of the incident, including examining the information accessed, and is in the process of notifying relevant regulatory authorities.

The materiality question, in the SEC's sense

The most consequential framing in any Item 1.05 filing is the materiality language, and 8x8's is worth reading closely because it points in two directions at once. The company disclosed the incident under Item 1.05 — but it did so, in its own words, "due to the nature of the information accessed," not because it concluded the event would move its financials. The filing then states that "based on the investigation to date, the incident is not expected to have a material impact on the Company’s operations or the Company’s financial condition or results of operations." On operational impact, the company is more categorical: it says that as of the date of the report, other than its own response and remediation activities, "the incident has not had an impact on the Company’s business or operations," that its ability to serve customers "has not been impacted," and that its information systems "remain operational and undisrupted."

That combination — reporting under Item 1.05 while stating a material financial impact is not expected — is a pattern that has recurred across cyber-incident disclosures since the SEC's 2023 cyber rule took effect. The rule requires a registrant to file under Item 1.05 within four business days of determining that a cybersecurity incident is material. The 8-K is dated June 17, 2026 as the date of earliest event reported, and lists June 13, 2026 as the date the company was informed of the incident. The filing was signed on June 23, 2026 by Chief Financial Officer Kevin Kraus. The document does not state the precise date on which 8x8 made its materiality determination, so the exact start of the four-business-day clock is not specified in the filing itself; the company's stated awareness date and report date sit within that window. Readers tracking the timing question should note that the filing reports a determination to disclose under Item 1.05 without disclosing the internal determination date.

Two things the filing does not do are as important as what it does. First, it does not attribute the activity to any named threat actor, ransomware group, or nation-state, and it makes no claim about motive beyond describing the data as "competitively sensitive." Any attribution would be speculation the document does not support. Second, it does not disclose financial figures, customer counts, or a remediation cost estimate. The forward-looking statements section flags the standard caveats — the company warns of "the risk that the Company’s has underestimated the scope of or impacts from the incident" and "the possibility that containment and remediation efforts may not be successful" — language that preserves room for the assessment to change as the investigation continues.

For a cloud communications provider, the disclosed entry vector — a third-party application connected to a Salesforce CRM rather than the production communications platform — is the detail that defines this incident's stated boundaries. The filing's own framing keeps the impact inside the CRM data layer and outside customer-facing service. What 8x8 has put on the record is a contained, integration-borne data exfiltration affecting customer relationship records, reported under Item 1.05 on the strength of the data's sensitivity, with the company's current position that it does not expect a material financial hit. The next data points to watch are in 8x8's own subsequent filings: any amended 8-K updating scope, and the cybersecurity disclosures in its next periodic report.