{"id":4088,"date":"2026-01-12T13:38:25","date_gmt":"2026-01-12T13:38:25","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/01\/12\/breachforums-database-leak-turns-the-tables-on-threat-actors\/"},"modified":"2026-01-12T13:38:25","modified_gmt":"2026-01-12T13:38:25","slug":"breachforums-database-leak-turns-the-tables-on-threat-actors","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/01\/12\/breachforums-database-leak-turns-the-tables-on-threat-actors\/","title":{"rendered":"BreachForums Database Leak Turns the Tables on Threat Actors"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Cybercriminals that use the BreachForums dark web site may soon have their identities exposed after a database related to the forum was leaked online.<\/p>\n

On Friday, a website named after the ShinyHunters hacking collective, shinyhunte[.]rs, released a Zip archive, \u201cbreachedforum.7z,\u201d containing the SQL database, alongside a lengthy message and a PGP key, according to Resecurity.<\/p>\n

The next day, a password for the private PGP key was published. Rescurity believes the key is used by BreachForums to sign official messages from its administrators.<\/p>\n

The security firm urged anyone interested in the database to download it from its own site, as other sources may try to booby-trap it with malware.<\/p>\n

\u201cThe database includes meta-data of 323,986 users extracted from MySQL DB table named \u2018hcclmafd2jnkwmfufmybb_users\u2019 relevant to MyBB, an open source forum software,\u201d the firm explained.<\/p>\n

\u201cThe database could be acquired as a result of a web application vulnerability in a CMS or through possible misconfiguration.\u201d<\/p>\n

Read more on BreachForums: French Authorities Arrest Four with Suspected Ties to Notorious BreachForums<\/em><\/p>\n

It\u2019s not clear how useful the information in the database will be to investigators. It includes usernames and IP addresses, but at least some of the latter are thought to be a loopback address, making it impossible to trace the individual.<\/p>\n

\u201cSome of the records identified in the database are definitely authentic and can be cross-checked with other sources regarding specific actors,\u201d said Resecurity.<\/p>\n

\u201cHowever, some records have been edited, removed, or contain non-existent information\u00a0(for example, replaced on IP 127.0.0.9), which is likely an OPSEC measure taken by the actors administering it.\u201d<\/p>\n

Also unclear is the motivation of the leaker. Accompanying the database was a lengthy manifesto authored to a \u201cJames,\u201d which names several individuals and potential aliases: Dorian Dali (Kams), Ojeda Nahyl (N\/A, Indra) and MANA (Mustapha Usman).<\/p>\n

In response, the current administrator of BreachForums, \u201cN\/A,\u201d posted a message to the forum, claiming \u201cJames\u201d is a former member of ShinyHunters.<\/p>\n

\u201cWe want to reassure you that no changes will be made, and moreover, the staff information leaked, including me, is entirely false, as is any remaining data,\u201d they claimed.<\/p>\n

\u201cThis James (Mathis) is a poor madman who is no longer in his right mind and is currently wanted by the police.\u201d<\/p>\n

A Brief History of BreachForums<\/h2>\n

The last registered user on the database is apparently August 11 2025, the date that the previous iteration of BreachForums[.]hn was closed.<\/p>\n

That fits with N\/A\u2019s claim that the table was taken during the time BreachForums was being restored from the .hn domain, when it was temporarily stored in an unsecured folder.<\/p>\n

The site was first launched as a successor to RaidForums, which was seized by law enforcement in 2022. Run by Conor Brian Fitzpatrick (pompompurin) until his arrest in 2023, this first iteration of BreachForums was succeeded by another run by ShinyHunters and administrator \u201cBaphomet\u201d until it too was seized and shuttered in 2024.<\/p>\n

After the most recent closure in August 7 2025, a member of the ShinyHunters gang\u00a0posted a message on the \u201cScattered Lapsus$ Hunters\u201d\u00a0Telegram channel claiming the forum was a police honeypot.<\/p>\n

Law enforcement disrupted the operation again in October last year.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Cybercriminals that use the BreachForums dark web site may soon have their identities exposed after a database related to the forum was leaked online. On Friday, a website named after the ShinyHunters hacking collective, shinyhunte[.]rs, released a Zip archive, \u201cbreachedforum.7z,\u201d containing the SQL database, alongside a lengthy message and a PGP key, according to Resecurity.<\/p>\n","protected":false},"author":2,"featured_media":4089,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4088","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/01\/4088-b040227c-443f-4c74-8013-b38a7682506c-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4088"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4088\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4089"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4088"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}