leaksear.ch has indexed 191,065 Huntress CRM and Salesforce records, with the leak metadata listing a June 16, 2026 breach date and business contact, pricing, subscription, and sales communications data (leaksear.ch metadata). Public statements from Huntress and Klue tie the exposure to a compromise of Klue integrations in which attackers obtained OAuth tokens and accessed connected customer environments (www.huntress.com, klue.com).
What happened
Klue said it identified unauthorized activity on June 12, 2026 affecting part of its integration infrastructure, and that its investigation found an attacker used a compromised legacy credential associated with an integration service to obtain OAuth tokens for third-party platforms, including Salesforce. Klue said the attacker then accessed data in a number of connected customer environments, while its investigation found no evidence that customer content stored inside the Klue platform itself was impacted (klue.com).
A July 1 Klue summary of CrowdStrike's investigation added that a previously compromised GitHub personal access token was used on June 11 to introduce unauthorized code into Klue's integration service and collect third-party integration credentials, including Salesforce OAuth access and refresh tokens. Klue said CrowdStrike found no evidence of threat actor activity in the Klue environment after June 12 (klue.com).
Huntress reported that its copied data came from Salesforce and included business contacts, price quotes, and other sales-related data and messaging. Huntress also said Icarus listed data for Huntress and several other Klue-impacted companies on June 22, while Dark Reading and Help Net Security reported that Salesforce disabled the Klue Battlecards app connection after detecting unusual activity involving the app, not a Salesforce platform vulnerability (www.huntress.com, www.darkreading.com, www.helpnetsecurity.com).
What data was exposed
According to leaksear.ch indexing metadata, the searchable pivots for this leak are address, country, email, name, phone, and username (leaksear.ch metadata). The records also contain CRM context such as company, contact and lead identifiers, Salesforce IDs, lead source, job title, campaign and status fields, opt-out and do-not-call flags, and created or modified dates (leaksear.ch metadata).
Huntress described the exposed files as Salesforce data limited to business contact information, business names, products trialed or used, subscription details including units and pricing, sales-related communications, and opportunity notes. Huntress said that, based on current evidence, its products and infrastructure, telemetry, passwords, and payment card data were not impacted (www.huntress.com, support.huntress.io).
Why this matters
CRM and Salesforce data can be valuable for targeted phishing because it can reference real companies, products, quotes, subscriptions, job roles, and prior business conversations. Security teams should treat messages that reference Huntress trials, pricing, sales discussions, or support context as higher risk and verify them through known channels. Individuals and organizations that may have interacted with Huntress should check whether their address, country, email, name, phone number, or username appears in this leak before responding to suspicious outreach.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username.
Sources
- Huntress: Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress
- Huntress Support: 2026 - June Klue Security Incident
- Klue: An Update on the Recent Klue Security Incident
- Klue: CrowdStrike Investigation Summary and Security Improvements
- Dark Reading: Salesforce Data Thefts Continue via Klue App Compromise
- Help Net Security: Klue breach lead to Salesforce data theft, Huntress affected