BreachForums, the serially resurrected cybercrime marketplace, has tripped over itself after a data breach spilled details tied to about 324,000 user accounts.
The latest incarnation of the notorious hacking forum was burgled in August 2025, exposing email addresses, usernames, and hashed passwords, according to Have I Been Pwned, which added the incident to its database on January 10.
The allegedly stolen user data was later posted to shinyhunte[.]rs, alongside a message from a self-described cyber outlaw calling himself "James," who appeared keen to make sure his handiwork didn't go unnoticed.
Have I Been Pwned's listing of the incident shows that the breach occurred before law enforcement's October 2025 takedown of the BreachForums domain, and that the leak comprised roughly 324,000 unique email addresses, usernames, and Argon2-hashed passwords, pulled from public posts, private messages, and other forum records.
According to Resecurity's analysis of the breach, the leaked database includes records linked to real individuals active in the cybercrime world, including crims previously associated with groups such as GnosticPlayers. PGP keys tied to accounts using handles such as ShinyHunters and IntelBroker were also found in the dump.
The database was published alongside a rambling, self-indulgent manifesto by "James," which included remarks and identifiers pointing to other miscreants allegedly involved in malicious activity. Some entries appear to have been edited, partially scrubbed, or tampered with, but Resecurity said a significant chunk of the material appears to be authentic.
One detail that caught researchers' attention was timing. The most recent registration date in the leaked database is August 11, 2025, the same day the previous BreachForums site at breachforums[.]hn was shut down, suggesting the data was lifted as the forum was entering its final hours.
Resecurity said it reviewed the IP data in the leak, while warning that VPN use muddies the picture. Even so, the records indicate heavy use from the US and parts of Europe, alongside activity in the Middle East and North Africa, including Morocco, Jordan, and Egypt.
The security biz warned that publishing the data could carry real consequences for those named. "Following the publication of this data, undoubtedly many threat actors will face difficulties in hiding their identities and an increased risk of getting arrested," the company said.
The leak also prompted a rare public response from BreachForums' current administrator, who goes by the alias N/A. In a forum post, the admin apologized for the exposure while insisting the data itself was not new.
"We want to address recent discussions regarding an alleged database leak and clearly explain what happened," N/A wrote. "First of all, this is not a recent incident. The data in question originates from an old users-table leak dating back to August 2025, during the period when BreachForums was being restored/recovered from the .hn domain."
According to the administrator, the problem stemmed from sloppy handling during the forum's recovery. "During the restoration process, the users table and the forum PGP key were temporarily stored in an unsecured folder for a very short period of time. Our investigation shows that the folder was downloaded only once during that window," N/A added.
The admin also suggested that "James" may be linked to the ShinyHunters collective – a claim that has not been independently verified.
Details that once sat inside a semi-private forum can now be picked and cross-referenced – and for anyone named in the leak, that's a very different problem from an old forum backup quietly gathering dust on a server. ®
Source: The register