A new chapter in the history of the underground hacker forum BreachForums has ended with an ironic twist: the forum’s own users have become victims of a data leak. An SQL dump of the platform’s user database, together with the administration’s private PGP key, has been published online. This significantly increases the risk of deanonymizing forum participants and intensifies law enforcement pressure on the cybercriminal ecosystem built around such marketplaces.
From RaidForums to BreachForums: evolution of data leak marketplaces
The role of a central hub for trading and publishing stolen databases was initially held by RaidForums, where threat actors exchanged compromised data from corporate breaches and public-sector intrusions. In 2022, the FBI seized RaidForums in a coordinated law enforcement operation, creating a vacuum on the cybercrime market.
Shortly after, a new forum, BreachForums (also known as Breached), launched under the alias Pompompurin. The site quickly became one of the most active English-language data leak forums. Among the most notable incidents attributed to its community were the exposure of data from DC Health Link, the health services provider for the U.S. Congress, and the leak of information on millions of Twitter users.
In March 2023, the FBI arrested alleged BreachForums operator Connor Brian Fitzpatrick (Pompompurin), leading to the forum’s shutdown. Subsequent reincarnations followed, including BreachForums v2 in 2024, reportedly involving the group ShinyHunters and actors using the handles Baphomet and IntelBroker.
That iteration was taken offline in April 2025 after what was described as a compromise via a 0‑day vulnerability in the MyBB forum engine. In autumn 2025, U.S. authorities seized the domain breachforums[.]hn, and operators themselves stated that law enforcement likely obtained database backups during the takedown.
New BreachForums leak: breachedforum.7z archive and user data
According to reporting by BleepingComputer, on 9 January 2026 an archive named breachedforum.7z appeared on a site operating under the ShinyHunters brand. The archive contained three files: a text document describing the story of a person called “James,” an SQL dump of the BreachForums database, and a file with the forum administration’s PGP key.
A representative of ShinyHunters denied any connection to the site hosting the archive, underscoring the high level of fragmentation, mistrust, and brand hijacking inside the cybercriminal community, where names of well-known groups are often reused or abused.
Compromised PGP key undermines trust in BreachForums communications
The PGP file contains a private key generated on 25 July 2023, used to cryptographically sign official announcements from the BreachForums administration. Normally, such a key is protected by a passphrase, preventing third parties from signing messages as the forum’s operators without knowing the password.
Researchers at Resecurity noted that the same site later published the passphrase for the private PGP key. After verifying its authenticity, they concluded that the key is fully compromised. This retroactively undermines confidence in historical signed messages appearing to come from BreachForums and opens the door to phishing, disinformation, and social engineering campaigns targeting cybercriminals themselves.
MyBB SQL dump: nearly 324,000 accounts and tens of thousands of real IPs
The main asset for security analysts in this leak is the SQL file containing the MyBB users table with 323,988 accounts. For each user, the dump includes a nickname, registration date, IP address, and several internal parameters.
Most entries list the IP address 127.0.0.9, a loopback (local) address that does not reveal a user’s actual network location. However, 70,296 records contain public IP addresses, which significantly increase the potential for deanonymization. Such data can be correlated with ISP records, other breached databases, and activity timestamps to identify or profile forum participants.
The latest registration date visible in the dump is 11 August 2025, coinciding with the shutdown of the BreachForums instance on breachforums[.]hn following arrests of several alleged operators. This temporal match supports the assessment that the dump reflects the state of the forum shortly before that takedown.
Administrator’s version: exposed backups and classic OPSEC failure
The current BreachForums administrator, using the nickname N/A, has acknowledged the authenticity of the leak. According to this account, the incident is not the result of a fresh intrusion, but rather a legacy compromise dating back to August 2025, when the team was restoring the forum after losing the .hn domain.
N/A states that a backup copy of the users table and the forum’s PGP key were briefly stored in an unprotected web-accessible directory and were allegedly downloaded only once: “During restoration, the user table and forum PGP key were temporarily stored in an unsecured folder. Our investigation shows that the folder was downloaded only once.” The administrator also stresses that a large portion of IP entries in the database are local, not public.
From a technical perspective, this is a textbook example of an operational security failure. Temporary backups and encryption keys exposed to the web are routinely discovered by automated scanners, search engines, and both security researchers and adversaries. Similar misconfigurations are a common cause of leaks not only in criminal infrastructures but also in corporate and government environments.
Risks for forum users and value for threat intelligence
The BreachForums database leak illustrates how cybercriminal infrastructure is itself a target for monitoring and compromise. Public IP addresses, email fields, usernames, and registration timestamps can be used to build activity profiles, link multiple aliases to a single individual, and connect forum accounts to other intrusion campaigns or known breaches.
Administrator N/A advises users to rely on disposable email addresses. In reality, many threat actors reuse the same email accounts, passwords, and nicknames across multiple platforms, greatly simplifying the work of both law enforcement and private-sector threat intelligence teams. Previous Department of Justice indictments and Europol operations have repeatedly shown how reused handles and overlapping metadata from forum leaks help attribute attacks and identify operators.
For defenders, such SQL dumps are a valuable source of threat intelligence. They enable tracking the evolution of groups such as ShinyHunters, mapping relationships between forum personas, and identifying overlaps with known intrusion sets targeting enterprises. Security teams can enrich internal monitoring with indicators derived from underground forums, including email addresses, IP ranges, and aliases observed in attack chains.
The BreachForums incident reinforces an important trend: the systems used by cybercriminals are no more secure than those of their victims. Regular arrests, domain seizures, backup captures, and user database leaks demonstrate that anonymity and impunity in the underground are increasingly fragile assumptions. Organizations should systematically monitor data from dark web and hacker forums for signs of account compromise, strengthen key management and backup protection practices, and promote better digital hygiene among employees and customers to reduce the impact of inevitable breaches across all online services.
