Back to Blog
high severity June 23, 2026 · scope unconfirmed

H* Listed by Icarus Ransomware Group

Salesforce data of H*. Data stolen: SF data - Compressed

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed June 23, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On June 23, 2026, the Icarus Ransomware Group added H* to its leak site, confirming that internal Salesforce data belonging to the organization had been exfiltrated and compressed during a ransomware attack.

Confirmed Details from Reporting

Public reporting indicates the incident involves Salesforce customer relationship management data. The files were taken prior to the group’s public listing of the victim on its leak site. Available reporting describes the stolen material as compressed internal files, though the exact volume and full list of records remain undisclosed. The number of people whose information was exposed is listed as unknown at this time.

Salesforce data was the primary target confirmed on the Icarus leak site. No additional systems have been publicly tied to this specific breach so far.

Why This Matters for You and Your Family

When a company’s Salesforce database is stolen, the information inside often includes names, email addresses, phone numbers, mailing addresses, purchase history, and support case notes. If you or anyone in your household has interacted with H* as a customer, your contact details and conversation records may now sit in an attacker’s archive. That data can be sold, published, or used as the starting point for more targeted attacks against you.

Even if you never entered your information directly into Salesforce, family members sometimes share accounts or appear in support tickets. A single exposed record can reveal relationships, children’s names, or household addresses that you would prefer to keep private.

The Doxxing and Identity-Chain Risks

Ransomware groups rarely stop at one dataset. Once they possess Salesforce records, they can cross-reference them with other leaks to build detailed profiles. An email address found here can be matched to credentials from an earlier breach, a phone number can link to social-media accounts, and a home address can surface in public records. These connections create an identity chain that makes doxxing and harassment far easier.

Credential leaks like this one cascade into account takeovers. The same email and password combination used for an H* support login may also protect your bank account, email, or your child’s gaming profile. Attackers follow these chains methodically, turning one corporate breach into multiple personal compromises.

Icarus Ransomware Group Track Record

Public reporting attributes the Icarus Ransomware Group with operations that emerged in recent years. The group is known for targeting organizations across multiple sectors and posting victim data on dedicated leak sites when ransom demands are not met. Notable prior victims include companies whose customer and internal records were later published in batches. Their typical playbook involves initial access through common vulnerabilities or stolen credentials, followed by exfiltration of sensitive databases, encryption of systems, and extortion based on the threat of data release. Exact tactics can vary, but the public pattern centers on stealing structured business data such as CRM platforms and then applying pressure through leak-site publication.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, with no-subscription cleanup of exposed data.
  • Rotate the password used at H* anywhere it is reused and enable two-factor authentication through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your information is caught in hours, not months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same address or email.
  • Let remediation specialists handle takedown requests across data brokers and exposed profiles while you focus on securing your own accounts.

The incident shows how quickly corporate data breaches reach ordinary families. Taking concrete steps now limits how far attackers can travel along your personal identity chain. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today to gain clear visibility and expert assistance before the next leak appears.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.