BreachForums Database Leak Exposes 324,000 User Accounts

The recent leak of a user database from the latest version of the notorious BreachForums cybercrime platform has exposed over 324,000 member accounts. This incident highlights the persistent vulnerabilities within illicit online communities, even as they attempt to rebuild following law enforcement actions. The leaked data, which includes usernames, registration dates, and IP addresses, poses a significant operational security risk for individuals involved and provides valuable intelligence for cybersecurity professionals and authorities.

BreachForums is a well-known series of hacking forums where participants trade stolen data, sell access to compromised networks, and offer various other illegal cybercrime services. It emerged after its predecessor, RaidForums, was shut down by law enforcement. Despite previous breaches and police interventions, the forum has repeatedly resurfaced under new domains, leading to widespread speculation that it may now function as a law enforcement honeypot.

A website named after the ShinyHunters extortion gang recently published an archive containing the leaked data. The files within include a text document, a SQL database file, and a PGP private key file. A representative from ShinyHunters has denied any involvement with the site that distributed this archive. The included PGP key, created in July 2023, was used by BreachForums administrators to sign official messages. While the key itself has been leaked, it remains passphrase-protected, preventing its immediate misuse for signing fraudulent communications.

The core of the leak is the “databoose.sql” file, a MyBB users database table holding 323,988 records. These records contain member display names, registration dates, and IP addresses. Analysis reveals that a majority of the IP addresses point to a local loopback address, rendering them useless. However, a subset of 70,296 records contains public IP addresses that could compromise the anonymity of those users. This information is particularly valuable for investigators and security researchers tracking cybercriminal activity.

Notably, the last registration date in the database is August 11, 2025, coinciding with the shutdown of the previous BreachForums domain. That shutdown followed the arrest of several alleged operators. On the same day, a ShinyHunters member claimed on Telegram that the forum was a law enforcement trap, an accusation the forum’s administrators vehemently denied. The old domain was later seized by authorities in October 2025 after it was allegedly repurposed for extortion related to separate data theft attacks.

The current administrator of BreachForums, using the alias “N/A,” has acknowledged the incident. They stated that a backup of the user table and the PGP key were temporarily stored in an unsecured folder during a restoration period in August 2025 and were downloaded only once during that brief exposure window. While the administrator advised members to use disposable email addresses and downplayed the risk due to the prevalence of local IPs, the exposed public IP data remains a serious concern.

In a subsequent development, cybersecurity firm Resecurity reported that the website hosting the leak has been updated to include the password for the BreachForums PGP private key. An independent security researcher has confirmed that the provided password successfully unlocks the key, escalating the potential security implications of this breach.

(Source: Bleeping Computer)