BreachForums data leak exposes 324,000 cybercriminal accounts
Take action: Even if you are a cybercrime forum, you still need to be very careful about security practices. Probably even more so, because both criminals and law enforcement are watching. And there is no honor towards a cybercrime forum.
Learn More
BreachForums, a cybercrime marketplace and successor to RaidForums, suffered a major data leak in August 2025.
A threat actor using the alias "James" published the stolen database on the site shinyhunte[.]rs in January 2026. You have to click through the rant, then the file is downloaded. The breach happened before law enforcement agencies seized the forum's domain in October 2025. The leak provides a rare look into the identities of thousands of individuals involved in the trade of stolen data and extortion.
The breach resulted from a system misconfiguration during a server restoration process. Administrators moving the forum from the .hn domain left a users table and the forum's PGP private key in an unsecured, publicly accessible folder. An attacker downloaded this folder during a brief window of exposure.
The current administrator, known as "N/A," admitted the error stemmed from sloppy handling during the recovery phase. The leaked database contains records for approximately 324,000 unique users. Security researchers at Resecurity confirmed the authenticity of the data. The compromised information includes:
- Usernames and email addresses
- Argon2-hashed passwords
- IP addresses (Registration and Last Seen)
- Private messages and public forum posts
- The forum's PGP private key
The leak includes metadata for high-profile threat actors, including those linked to the GnosticPlayers and ShinyHunters groups. Law enforcement can now cross-reference these IP addresses and email accounts to unmask individuals involved in global extortion campaigns. The "James" manifesto accompanying the leak named several alleged administrators and moderators, potentially leading to future arrests. The records indicate heavy user activity in the United States, Europe, and parts of North Africa, including Morocco and Egypt.
BreachForums administrators claim the data is not new but the exposure of hashed passwords and private communications poses a permanent risk to the users involved.
