BreachForums Database Leaked, Exposing 324K Users

The notorious cybercrime marketplace BreachForums became the victim of its own trade this month when a database backup exposed nearly 324,000 user records. The leaked data includes usernames, hashed passwords, email addresses, IP addresses, private messages, and forum posts—the kind of haul BreachForums users typically profit from selling.

What Was Exposed?

The breach originated from a MyBB database backup that was temporarily stored in an unsecured folder during a restoration process in August 2025. An individual identifying as "James" published the data on January 9, 2026, along with a 23-part manifesto.

According to Have I Been Pwned, the stolen dataset contains:

• 323,988 unique user records
• Usernames and email addresses
• Argon2-hashed passwords
• IP addresses (though most map to 127.0.0.9 loopback)
• Private messages and public forum posts

Security firm Resecurity confirmed the data's authenticity. The most recent registration date in the dump is August 11, 2025—the same day the previous BreachForums site shut down—suggesting the backup was grabbed during the forum's final hours at that domain.

The 70,000 Real IP Addresses

While most IP addresses in the database map to a local loopback address (127.0.0.9), approximately 70,296 records contain actual public IP addresses. BleepingComputer verified that these records trace back to real locations, potentially exposing users who thought they were anonymous.

This creates significant legal exposure for forum members. Law enforcement agencies have previously used similar data leaks from RaidForums and other criminal platforms to identify and arrest users. The geographic distribution shows concentrations in the United States, Germany, the Netherlands, France, Turkey, and the United Kingdom.

PGP Keys and Notable Accounts

Resecurity's analysis uncovered PGP keys linked to accounts using handles associated with prominent threat actors, including ShinyHunters and IntelBroker. The database also contains records linked to individuals previously connected to groups like GnosticPlayers.

After the initial story broke, researchers also discovered the password for BreachForums' PGP private key was included in an update to the leak—a particularly embarrassing detail for a forum that positions itself as a secure haven for data traders.

Admin Response

The current BreachForums administrator, operating under the handle "N/A," acknowledged the breach but downplayed its significance. The admin stated the backup was "temporarily exposed in an unsecured folder and downloaded only once" and characterized it as "an old users-table leak."

The ShinyHunters extortion gang, whose branding appeared on the website distributing the archive, denied any affiliation with the leak. A representative told BleepingComputer they had nothing to do with the site hosting the data.

Why This Matters

The breach represents a significant blow to the criminal forum ecosystem. "The breach significantly undermines trust in the platform itself, which is critical for any cybercrime forum," noted Michael Jepson, penetration testing manager at CybaVerse. He predicted that "more sophisticated cyber criminals are likely to migrate away from large and well-known forums toward smaller, invite-only communities."

This isn't the first time BreachForums has faced such troubles. The forum launched in 2022 as the successor to RaidForums, which U.S. authorities seized as part of a crackdown on data trafficking. Founder Conor Brian Fitzpatrick was arrested in 2023 and later sentenced to three years in prison. A 2024 domain seizure was quickly reversed by operators tied to ShinyHunters, but the forum has struggled to maintain stability since.

For defenders tracking threat actors, the leak is a gold mine. For the criminals themselves, it's a reminder that no platform is truly secure—especially one built by and for people who make a living exploiting security failures.