leaksear.ch has indexed a Gms-net dataset containing 31,249 Salesforce CRM records, with names, emails, phones, addresses, countries, and usernames exposed from a June 22, 2026 breach (leaksear.ch metadata). GMS is a Baar, Switzerland-based communications solutions partner for enterprises and mobile network operators, and public reporting ties the alleged Salesforce data theft to the ICARUS extortion group (gms.net, dexpose.io, securityweek.com).
What happened
DeXpose reported that ICARUS announced a cyberattack on Gms-net on June 22, 2026 and claimed to have exfiltrated Salesforce data from the Swiss firm (dexpose.io). SecurityWeek later reported that ICARUS listed Gms-net on its Tor-based leak site among organizations whose Salesforce data had allegedly been stolen (securityweek.com).
The specific intrusion path for Gms-net is not confirmed in the cited public reporting. The broader June 2026 ICARUS activity included attacks against SaaS and CRM environments, and ZeroFox describes ICARUS as using a multitiered extortion model involving supply chain compromise, data exfiltration, and public disclosure threats (zerofox.com).
Public reporting on the same ICARUS campaign described abuse of Klue OAuth tokens to access connected Salesforce environments at multiple organizations, but the available sources do not confirm that Gms-net was compromised through Klue or any specific third-party integration (bleepingcomputer.com, securitylabs.datadoghq.com).
What data was exposed
The leaksear.ch indexing metadata lists the directly searchable fields as address, country, email, name, phone, and username (leaksear.ch metadata).
Other stored CRM-related fields include account IDs, company, title, website, industry, lead source, email subscription consent, email opt-out and bounce indicators, owner ID, record type, Salesforce IDs, source email fields, source objects, created and last-modified dates, federation identifier, ZoomInfo company ID, and ZoomInfo ID (leaksear.ch metadata).
Why this matters
CRM data can make phishing and social-engineering attempts more convincing because it links contact information with workplace context such as company, title, industry, lead source, and account identifiers (leaksear.ch metadata). The metadata does not support claims about passwords, payment cards, national IDs, or other financial identifiers, so those should not be assumed here. Security teams should treat the exposure as useful for targeted email, phone, and vendor-impersonation activity, especially where exposed contacts had sales or business relationships with GMS. If you may have interacted with GMS, check leaksear.ch using the searchable pivots for this leak: email, name, phone, username, address, or country (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username.
Sources
- GMS: GMS Positioned in the 2026 Gartner Magic Quadrant for Communications Platform as a Service
- DeXpose: Icarus Ransomware Strikes Swiss Firm Gms-net
- SecurityWeek: BeyondTrust, LastPass Impacted by Klue-Salesforce Incident
- ZeroFox: ZeroFox Intelligence Profile - ICARUS
- BleepingComputer: Klue OAuth Breach Victim List Grows as Icarus Hackers Claim Attack
- Datadog Security Labs: Detecting the Klue Supply Chain Attack in Salesforce Instances