Doomsday for Hackers: 324,000 BreachForums Accounts Exposed in Massive Leak

A comprehensive database associated with BreachForums—one of the most notorious clearinghouses for exfiltrated data and illicit network access—has been leaked online, compromising the credentials of nearly 324,000 accounts.

The platform has survived numerous incarnations, tracing its lineage back to the defunct RaidForums, which collapsed following the apprehension of its proprietor. Since that time, BreachForums has repeatedly resurrected itself across various domains, persisting despite sustained law enforcement interventions and recurrent security breaches. Rumors within the underground community suggest the current iteration may have even served as a honeypot orchestrated by authorities to entrap cybercriminals.

The latest disclosure emerged following the distribution of an archive titled breachedforum.7z on a site linked to the ShinyHunters extortion collective. This archive comprised three files: a database dump of the forum’s user table, a private PGP key, and a narrative detailing the exploits of a user known as “James.” Representatives of ShinyHunters have since distanced themselves from the repository that hosted the file.

The leaked database encompasses nearly 324,000 entries, including pseudonyms, registration dates, IP addresses, and various technical artifacts. Forensic analysis reveals that while a significant portion of the IP data consists of localized values offering little for de-anonymization, over 70,000 entries contain authentic public IP addresses—a potential windfall for law enforcement investigations.

The most recent registration date in the database is August 11, 2025, the same day the previous domain, breachforums[.]hn, was shuttered following the arrest of its alleged administrators. This domain was subsequently weaponized to blackmail corporate victims of ShinyHunters before falling under definitive police control in October 2025.

The current administrator of BreachForums, operating under the alias “N/A,” corroborated the breach, attributing it to a configuration error during the forum’s restoration in August 2025. He asserted that the user table and PGP key were inadvertently stored in an unprotected directory and accessed only once. In light of the incident, he exhorted members to utilize ephemeral email addresses to mitigate future exposure.

The situation has since escalated; Resecurity reported that the passphrase for the leaked private PGP key has surfaced on the same site as the archive. An independent security consultant confirmed the passphrase’s validity. Although the key remains encrypted, its disclosure significantly elevates the risk of adversaries forging administrative communications and undermines the perceived integrity of the forum’s leadership.