BreachForums hacking forum database leaked, exposing 324,000 accounts

The latest incarnation of the notorious BreachForums hacking forum has suffered a data breach, with its user database table leaked online.

BreachForums is the name of a series of hacking forums used to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services.

The site was launched after the first of these forums, RaidForums, was seized by law enforcement, with the owner, "Omnipotent", arrested.

While BreachForums has suffered data breaches and police actions in the past, it has been repeatedly relaunched under new domains, with some accusing it of now being a honeypot for law enforcement.

Yesterday, a website named after the ShinyHunters extortion gang released a 7Zip archive named breachedforum.7z.

This archive contains three files named:

• shinyhunte.rs-the-story-of-james.txt
• databoose.sql
• breachedforum-pgp-key.txt.asc

A representative of the ShinyHunters extortion gang told BleepingComputer they are not affiliated with the site that distributed this archive.

The archive's 'breachedforum-pgp-key.txt.asc' file is the PGP private key created on July 25, 2023, and used by BreachForums to sign official messages from the administrators. While the key has been leaked, it is passphrase-protected, and without the password, it can't be abused to sign messages.

The "databoose.sql" file is a MyBB users database table (mybb_users) containing 323,988 member records that include member display names, registration dates, IP addresses, and other internal information.

BleepingComputer's analysis of the table shows that most of the IP addresses map back to a local loopback IP address (0x7F000009/127.0.0.9), so they are not of much use.

However, 70,296 records do not contain the 127.0.0.9 IP address, and the records we tested map to a public IP address. These public IP addresses could be an OPSEC concern for those people and valuable to law enforcement and cybersecurity researchers.

The last registration date in the newly leaked user database is from August 11, 2025, which is the same day that the previous BreachForums at breachforums[.]hn was closed. This shutdown followed the arrest of some of its alleged operators.

That same day, a member of the ShinyHunters extortion gang posted a message on the "Scattered Lapsus$ Hunters" Telegram channel, claiming the forum was a law-enforcement honeypot. The BreachForums administrators subsequently denied these allegations.

The breachforums[.]hn domain was later seized by law enforcement in October 2025 after it was repurposed to extort companies impacted by the widespread Salesforce data theft attacks conducted by the ShinyHunters extortion group.

The current BreachForums administrator, known as "N/A," has acknowledged the new breach, stating that a backup of the MyBB user database table was temporarily exposed in an unsecured folder and downloaded only once.

"We want to address recent discussions regarding an alleged database leak and clearly explain what happened," N/A wrote on BreachForums.

"First of all, this is not a recent incident. The data in question originates from an old users-table leak dating back to August 2025, during the period when BreachForums was being restored/recovered from the .hn domain."

"During the restoration process, the users table and the forum PGP key were temporarily stored in an unsecured folder for a very short period of time. Our investigation shows that the folder was downloaded only once during that window," continued the administrator.

While the administrator said that BreachForums members should use disposable email addresses to reduce risk and that most IP addresses mapped to local IPs, the database still contains information that could be of interest to law enforcement.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 11 January 2026 at 5:22 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025: 5,700+

RIP Matrix