leaksear.ch has indexed 2,360,633 Salesforce-derived records tied to Cbassociations, a victim name linked to Icarus ransomware and extortion claims reported on June 22, 2026 (leaksear.ch metadata, www.dexpose.io). The records include names, addresses, countries, IP addresses and usernames as queryable fields, with additional Salesforce-style record metadata stored alongside them (leaksear.ch metadata).
What happened
Public reporting on Cbassociations is limited. DeXpose reported that Icarus publicly claimed an attack targeting Cbassociations on June 22, 2026, and described the threat actor statement as referring to Salesforce data, while also listing the target domain and country as unavailable (www.dexpose.io). ZeroFox separately lists Cbassociations among alleged ICARUS targets, but describes the entity as unidentified and its sector as unknown (www.zerofox.com).
The Cbassociations dataset should be treated as tied to Icarus claims and Salesforce-derived data, not as a fully confirmed public breach notice from the affected organization. No public source reviewed for this article confirms Cbassociations' country, domain, exact intrusion path, or whether the dataset was obtained through the Klue incident.
The broader Icarus context matters because the group has been publicly connected to Salesforce-focused extortion activity. Klue disclosed that an attacker used a compromised legacy integration credential to obtain OAuth tokens for third-party platforms, including Salesforce, and then accessed data in connected customer environments (klue.com). Huntress, one affected Klue customer, said Icarus listed stolen data from Klue-related victims on June 22 and warned that sales-specific data could support phishing campaigns (www.huntress.com).
What data was exposed
The leaksear.ch index covers 2,360,633 Cbassociations records (leaksear.ch metadata). Searchable fields are address, country, IP address, name and username (leaksear.ch metadata).
Additional stored fields include account ID, record ID, related ID, created date, last modified date, event time, role, source object, status, title and a details JSON field (leaksear.ch metadata). These supporting fields provide CRM-style context, but they are not listed as direct search pivots on leaksear.ch (leaksear.ch metadata).
The supplied indexing metadata does not list passwords, payment card numbers, government identifiers or password hashes for this dataset (leaksear.ch metadata). Based on the available public reporting, the safest description is exposure of Salesforce-derived identifiers, contact context and record metadata tied to Cbassociations.
Why this matters
Names, addresses, usernames and IP addresses can help attackers correlate people, accounts and organizations across other breach data. CRM-style fields such as role, status, title and source object may also make phishing or impersonation attempts more credible if attackers use them to reference business relationships or account context.
For security teams, the practical risk is follow-on social engineering, vendor impersonation and targeted outreach to employees, partners or customers. Organizations connected to Cbassociations should review whether any exposed identifiers match their users or business contacts, and individuals who may have interacted with Cbassociations should check whether their name, address, country, IP address or username appears in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, ip address, name, and username.