Executive Summary

On January 9, 2026, a significant data breach at BreachForums, a major cybercrime marketplace, resulted in the exposure of nearly 324,000 user records. The breach, which originated from a misconfiguration or vulnerability in the forum’s MyBB software, led to the public release of a database containing usernames, Argon2-hashed passwords, email addresses, IP addresses, registration dates, and PGP keys. The incident has compromised the anonymity of cybercriminals, administrators, and high-profile threat actors, providing law enforcement and security researchers with valuable attribution data. The breach is confirmed to have occurred during a restoration process in August 2025, when a backup of the user database was temporarily stored in an unsecured folder and subsequently downloaded. The exposure has destabilized the cybercrime ecosystem, increasing the risk of follow-on attacks, law enforcement actions, and migration to alternative platforms. All claims in this summary are corroborated by primary sources, including eSecurityPlanet, BleepingComputer, and The Register (https://www.esecurityplanet.com/threats/breachforums-data-breach-exposes-324000-users/, https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/amp/, https://www.theregister.com/2026/01/12/breachforums_breach/).

Technical Information

The breach at BreachForums was the result of a web application vulnerability or misconfiguration in the MyBB forum software. During a restoration and recovery process in August 2025, a backup of the mybb_users database table was inadvertently placed in an unsecured, publicly accessible folder. This allowed an unauthorized party, identified by the alias "James," to download the database. The administrator of BreachForums, known as "N/A," confirmed that the exposure was not a recent incident but stemmed from the restoration period following the shutdown of the breachforums[.]hn domain.

The exposed database contains approximately 323,986 user records, including usernames, Argon2-hashed passwords, email addresses, IP addresses, registration dates, and PGP keys. While most IP addresses in the database are loopback addresses (127.0.0.9), approximately 70,296 records contain public IP addresses, which present a significant operational security risk for those users. The presence of PGP keys and email addresses further increases the risk of deanonymization and targeted law enforcement action.

The breach did not involve the use of malware or remote access tools. Instead, the compromise was achieved through exploitation of a misconfiguration or vulnerability in the web application, specifically during a period of administrative oversight. The MyBB software, an open-source forum platform, was the underlying technology affected.

The incident has been mapped to several MITRE ATT&CK techniques. The initial access vector corresponds to T1190 (Exploit Public-Facing Application), as the attacker exploited a vulnerability or misconfiguration to access the database. The collection phase aligns with T1530 (Data from Cloud Storage Object), since the database was exposed in an unsecured folder. The exposure of PGP keys, email addresses, and hashed passwords partially maps to T1552 (Unsecured Credentials), increasing the risk of further compromise.

The breach has significant implications for the cybercriminal ecosystem. BreachForums has served as a central marketplace for breached data, credentials, and illicit services since its launch in 2022, following the law enforcement takedown of its predecessor, RaidForums. The forum has been repeatedly targeted by law enforcement, with notable events including the 2023 arrest of founder Conor Fitzpatrick and domain seizures in 2024 and 2025. Despite these disruptions, the platform persisted until the August 2025 breach, which exposed its user base and undermined the anonymity of its members.

Analysis of the leaked data indicates that the largest concentration of users is in the United States, followed by Germany, the Netherlands, France, Turkey, and the United Kingdom, with additional users in North Africa and the Middle East. The exposure of high-profile threat actors, including those associated with groups such as ShinyHunters and GnosticPlayers, has created new opportunities for law enforcement investigations and disrupted ongoing criminal operations.

The breach has also led to increased instability within the cybercrime marketplace. The exposure of user data has prompted concerns about phishing, retaliation, and rapid migration to alternative platforms. Organizations that monitor these shifts can gain valuable insights into emerging threats and attacker behavior.

The authenticity of the leaked data has been confirmed by multiple independent sources, including eSecurityPlanet, BleepingComputer, and The Register. While some entries in the database appear to have been edited or tampered with, the majority of the material is considered authentic. The administrator of BreachForums has acknowledged the breach and apologized for the exposure, attributing it to administrative oversight during the restoration process.

Affected Versions & Timeline

The breach affected the MyBB forum software used by BreachForums during its operation from 2022 to August 2025. The exposed database includes user records up to the last registration date of August 11, 2025, which coincides with the shutdown of the breachforums[.]hn domain. The data was publicly released on January 9, 2026, after being posted to a site named after the ShinyHunters group.

The timeline of key events is as follows:August 11, 2025: The last user registration in the leaked database, corresponding with the shutdown of breachforums[.]hn.October 2025: Law enforcement seizes the breachforums[.]hn domain.January 9, 2026: The leaked database is published online.January 10-12, 2026: Multiple security researchers and media outlets confirm the authenticity and scope of the breach.

The administrator of BreachForums has stated that the exposed data originated from an old users-table leak during the restoration of the forum from the .hn domain. The exposure occurred when the users table and forum PGP key were temporarily stored in an unsecured folder, which was downloaded only once during that window.

Threat Activity

The breach has exposed the operational security failures of a major cybercrime forum, revealing the identities and activities of nearly 324,000 users. The affected user base includes administrators, moderators, and high-profile threat actors, many of whom are associated with well-known cybercrime groups such as ShinyHunters and GnosticPlayers. The exposure of PGP keys, email addresses, and public IP addresses has created significant risk for these individuals, increasing the likelihood of law enforcement action and internal retaliation.

The breach has also destabilized the cybercrime ecosystem, leading to increased phishing, doxxing, and migration to alternative platforms. The exposure of the user database has provided law enforcement and security researchers with a rare opportunity to analyze the structure and membership of a major cybercrime forum. The incident has highlighted the fragility of anonymity within the Dark Web, demonstrating that even established platforms are vulnerable to internal missteps and technical weaknesses.

The threat actor "James" has claimed responsibility for the breach, but there is no direct technical evidence linking this individual to a known advanced persistent threat (APT) or cybercrime group. The ShinyHunters group has denied involvement in the leak, despite the data being posted on a site named after them. The administrator of BreachForums has acknowledged the breach and attributed it to administrative oversight during the restoration process.

The breach has also prompted concerns about the potential for follow-on attacks, including phishing campaigns targeting exposed email addresses and attempts to compromise accounts using the leaked hashed passwords. The exposure of PGP keys may also facilitate targeted attacks against specific individuals within the cybercrime community.

Mitigation & Workarounds

The following mitigation strategies are recommended, prioritized by severity:

Critical: Organizations involved in law enforcement or threat intelligence should immediately analyze the leaked database for actionable intelligence on cybercriminal actors, infrastructure, and operational patterns. The exposure of PGP keys, email addresses, and public IP addresses provides a unique opportunity for attribution and disruption of ongoing criminal operations. High: Security teams should monitor for increased phishing, doxxing, and retaliatory activity targeting individuals named in the breach. The exposure of hashed passwords, while mitigated by the use of Argon2, still presents a risk if users have reused passwords across multiple platforms. Medium: Organizations should review their own use of MyBB or similar forum software, ensuring that backups and sensitive data are never stored in unsecured, publicly accessible folders. Regular security audits and configuration reviews are essential to prevent similar incidents. Low: Users of cybercrime forums should be aware that anonymity is not guaranteed, even on established platforms. The use of disposable email addresses and VPNs can reduce risk, but cannot eliminate the possibility of exposure due to administrative or technical failures.

No specific malware or remote access tools were identified in this breach, so traditional endpoint detection and response measures are not directly applicable. The primary mitigation focus should be on secure configuration, access controls, and regular auditing of web applications and data storage practices.

References

https://www.esecurityplanet.com/threats/breachforums-data-breach-exposes-324000-users/ (January 12, 2026) https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/amp/ (January 10, 2026) https://www.theregister.com/2026/01/12/breachforums_breach/ (January 12, 2026)

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and partners. Our platform supports the identification of misconfigurations, exposed assets, and supply chain risks, helping organizations prevent incidents similar to the BreachForums breach. For questions or further information, contact us at ops@rescana.com.