BreachForums Suffers Data Breach, Exposing 324,000 User Accounts
In August 2025, BreachForums the notorious cybercrime marketplace known for its repeated resurgences fell victim to a data breach, exposing sensitive details tied to approximately 324,000 user accounts. The incident, confirmed by Have I Been Pwned and added to its database on January 10, revealed email addresses, usernames, and Argon2-hashed passwords sourced from public posts, private messages, and forum records.
The stolen data was later published on shinyhunte[.]rs by an individual identifying as "James," who accompanied the leak with a manifesto. Analysis by cybersecurity firm Resecurity found the database contained records linked to real cybercriminals, including individuals previously associated with groups like GnosticPlayers. PGP keys tied to handles such as ShinyHunters and IntelBroker were also present, though some entries appeared altered or partially scrubbed.
The breach occurred just before law enforcement’s October 2025 takedown of BreachForums’ domain, with the most recent registration in the leaked data dated August 11 the same day the forum’s previous iteration at breachforums[.]hn was shut down. IP records, though obscured by VPN use, suggested heavy activity from the U.S. and Europe, alongside traffic from the Middle East and North Africa.
BreachForums’ current administrator, N/A, acknowledged the incident in a public post, attributing the leak to a temporary lapse in security during the forum’s recovery. The admin claimed the exposed data was an old users-table from August 2025, stored briefly in an unsecured folder before being downloaded. N/A also speculated that "James" may be linked to the ShinyHunters collective, though this remains unverified.
The leak raises concerns for those named, as cross-referencing the data could heighten risks of exposure and legal repercussions for cybercriminals. While the forum downplayed the incident as outdated, the public release transforms what was once semi-private forum data into a more accessible and dangerous resource.
Source: https://www.theregister.com/2026/01/12/breachforums_breach/
Have I Been Pwned cybersecurity rating report: https://www.rankiteo.com/company/haveibeenpwned
"id": "HAV1768224176",
"linkid": "haveibeenpwned",
"type": "Breach",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '324,000 user accounts',
'industry': 'Cybercrime',
'name': 'BreachForums',
'type': 'Cybercrime marketplace'}],
'attack_vector': 'Unsecured folder during restoration process',
'data_breach': {'data_encryption': 'Passwords were hashed (Argon2)',
'data_exfiltration': 'Yes, data was downloaded and later '
'published',
'number_of_records_exposed': '324,000',
'personally_identifiable_information': 'Email addresses, '
'usernames, PGP keys '
'tied to real '
'individuals',
'sensitivity_of_data': 'High (cybercriminal identities, PGP '
'keys, private communications)',
'type_of_data_compromised': ['Email addresses',
'Usernames',
'Hashed passwords (Argon2)',
'PGP keys',
'Private messages',
'Forum records']},
'date_detected': '2025-08-11',
'date_publicly_disclosed': '2025-01-10',
'description': 'BreachForums, a cybercrime marketplace, suffered a data '
'breach in August 2025, exposing email addresses, usernames, '
'and hashed passwords of approximately 324,000 user accounts. '
'The stolen data was later published on shinyhunte[.]rs by an '
"individual identifying as 'James.' The breach occurred before "
"law enforcement's takedown of the BreachForums domain in "
'October 2025.',
'impact': {'brand_reputation_impact': 'Significant reputational damage to '
'BreachForums as a cybercrime '
'marketplace',
'data_compromised': 'Email addresses, usernames, Argon2-hashed '
'passwords, PGP keys, private messages, forum '
'records',
'identity_theft_risk': 'High for named individuals in the '
'cybercrime world',
'operational_impact': 'Temporary unsecured storage during '
'restoration, potential disruption of '
'cybercriminal operations',
'systems_affected': 'BreachForums user database and PGP keys'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Temporary unsecured storage of sensitive data during '
'system restoration can lead to significant breaches. '
'Cybercriminal forums are high-value targets for both law '
'enforcement and rival threat actors.',
'motivation': 'Exposure of cybercriminal identities, potential retaliation or '
'notoriety',
'post_incident_analysis': {'corrective_actions': 'Securing the unsecured '
'folder, public '
'communication to address '
'the breach',
'root_causes': 'Temporary unsecured storage of '
'user data and PGP keys during the '
"forum's restoration process"},
'recommendations': ['Implement stricter access controls during system '
'restoration',
'Avoid temporary unsecured storage of sensitive data',
'Enhance monitoring for unauthorized access to critical '
'data',
'Prepare for potential retaliation or exposure from rival '
'threat actors'],
'references': [{'date_accessed': '2025-01-10', 'source': 'Have I Been Pwned'},
{'source': 'Resecurity'},
{'source': 'BreachForums Administrator Statement'}],
'response': {'communication_strategy': 'Public apology and explanation by '
'administrator N/A',
'containment_measures': 'Investigation into the breach, public '
'statement by administrator',
'remediation_measures': 'Securing the unsecured folder '
'post-incident',
'third_party_assistance': 'Resecurity, Have I Been Pwned'},
'stakeholder_advisories': 'Cybercriminals named in the leak face increased '
'risk of arrest and exposure.',
'threat_actor': ['James', 'ShinyHunters (alleged)'],
'title': 'BreachForums Data Breach Exposes 324,000 User Accounts',
'type': 'Data Breach',
'vulnerability_exploited': 'Temporary unsecured storage of user data and PGP '
'keys'}