Executive Summary

On January 9, 2026, the user database of the BreachForums hacking forum was leaked online, exposing 323,988 account records. The breach resulted from an accidental exposure of a database backup during a forum restoration process, not from exploitation of software vulnerabilities or malware. The leaked data includes usernames, registration dates, and 70,296 public IP addresses, as well as a passphrase-protected PGP private key used by forum administrators. The incident presents significant risks for forum participants, including potential identification and law enforcement interest, and for enterprises, which may face targeted spear phishing and reputational threats if employee data is present in the leak. Law enforcement agencies are likely to use the dataset for ongoing investigations. All findings are corroborated by multiple independent sources, including BleepingComputer, Anavem, and Have I Been Pwned. No evidence currently links the leak to the ShinyHunters group, despite the use of their name in the leak’s distribution.

Technical Information

The BreachForums incident centers on the exposure of a MyBB forum user database, which was inadvertently made accessible in an unsecured folder during a restoration operation. The database, named databoose.sql, contains 323,988 user records. Of these, 70,296 records include public IP addresses, while the remainder use a loopback address (127.0.0.9), likely as an obfuscation measure or due to forum configuration. The leak also includes a PGP private key file (breachedforum-pgp-key.txt.asc), which was used by forum administrators to sign official messages. The key is protected by a passphrase, which was later published alongside the leak.

The breach did not involve exploitation of a vulnerability in the MyBB forum software or the use of malware. Instead, the root cause was operational: a backup file was left in a publicly accessible location during a maintenance window. The forum administrator confirmed that the file was downloaded only once before being secured, but this single download was sufficient for the data to be widely disseminated.

The leaked data enables correlation of forum handles, registration dates, and IP addresses, which can be cross-referenced with other breaches, ISP records, and VPN exit nodes. This correlation increases the risk of deanonymization for forum users. The presence of public IP addresses is particularly significant, as it allows for potential identification of users by law enforcement or other threat actors.

The leak’s technical impact extends beyond the forum itself. Enterprises may be affected if employees used corporate email addresses or reused handles on BreachForums. Such exposure can lead to targeted phishing, blackmail, or reputational attacks. The leak also provides a valuable dataset for law enforcement and threat intelligence teams, who can use it to map criminal ecosystems and support ongoing investigations.

The incident is mapped to the following MITRE ATT&CK techniques: - Collection: Data from Information Repositories (T1213) – The attacker collected data from an exposed database backup. This mapping is supported by direct evidence from the forum administrator and multiple independent sources. - Exfiltration: Exfiltration Over Web Service (T1567) – The data was exfiltrated via a web download. This is inferred from the method of exposure and subsequent leak. - Impact: Data Leak (T1537) – The attacker publicly leaked the database, as confirmed by the publication of the archive on a site named after the ShinyHunters group. - Initial Access: Valid Accounts (T1078) – While not a classic case of credential theft, the attacker accessed a legitimate backup due to misconfiguration.

No malware, exploitation tools, or software vulnerabilities were identified in this incident. The only software referenced is MyBB, which was not itself compromised.

Affected Versions & Timeline

The affected system is the BreachForums MyBB forum, specifically the user database as of August 11, 2025. This date corresponds to the last registration in the leaked database and the closure of the previous BreachForums domain following operator arrests. The backup was exposed during a restoration process and was downloaded on or before January 9, 2026, when the leak was published.

Historical context is relevant: BreachForums and its predecessor, RaidForums, have been repeatedly targeted by law enforcement and rival threat actors. A previous breach in November 2022 exposed 212,000 records, including usernames, IP and email addresses, private messages, and passwords stored as argon2 hashes (Have I Been Pwned, https://haveibeenpwned.com/Breach/BreachForums). The current incident is distinct in both scale and the nature of the data exposed.

Threat Activity

The threat activity in this incident is characterized by opportunistic exploitation of an operational error rather than a targeted attack using advanced techniques. The attacker, whose identity remains unconfirmed, discovered and downloaded the exposed backup file. The leak was subsequently published on a website named after the ShinyHunters extortion group, though the group has denied involvement and no technical evidence links them to the breach.

The primary threat to forum participants is the risk of identification and subsequent law enforcement action, particularly for those whose public IP addresses were exposed. For enterprises, the threat is the potential for targeted phishing, blackmail, or reputational attacks if employee data is present in the leak. The leak also revives speculation about the forum being a law enforcement honeypot, though the presence of a leaked PGP key alone does not substantiate this claim.

Law enforcement agencies are likely to use the leaked dataset for attribution, investigations, and mapping of criminal ecosystems. The exposure of public IP addresses and registration data enhances the ability to correlate forum activity with other intelligence holdings.

Mitigation & Workarounds

The following mitigation steps are recommended, prioritized by severity:

Critical: Organizations should immediately monitor for employee exposure in the leaked BreachForums dataset. This includes searching for corporate email addresses, reused handles, or other identifiers that may link employees to the forum. Security teams should prepare for targeted spear phishing, extortion, or reputational attacks referencing the leak.

High: Enterprises should update security awareness training to include information about this breach and the specific risks of social engineering campaigns leveraging underground forum leaks. Employees should be instructed not to respond to unsolicited emails referencing the incident and to report any suspicious communications to security teams.

Medium: Law enforcement and threat intelligence teams should incorporate the leaked dataset into ongoing investigations and cross-reference it with other breach data to identify potential criminal activity or insider threats.

Low: Forum participants should review their operational security practices, including the use of VPNs, pseudonymous handles, and unique credentials for underground forums. While the incident is historical, the risk of identification persists for those whose public IP addresses were exposed.

No technical patch or software update is applicable, as the breach resulted from operational misconfiguration rather than a software vulnerability.

References

BleepingComputer, "BreachForums hacking forum database leaked, exposing 324,000 accounts," January 10, 2026: https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/amp/

Have I Been Pwned, "BreachForums Data Breach," July 26, 2023: https://haveibeenpwned.com/Breach/BreachForums

Anavem, "BreachForums Database Leak Exposes 324K Accounts," January 10, 2026: https://anavem.com/cybersecurity/breachforums-database-leak-exposes-324k-accounts

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to identify, assess, and monitor external digital risks, including exposure of employee credentials, underground forum activity, and supply chain vulnerabilities. Our platform supports continuous monitoring and evidence-based risk analysis to help organizations respond to emerging threats. For questions about this incident or our capabilities, contact us at ops@rescana.com.