Infamous BreachForums forum breached, spilling data on 325K users

Steven

Infamous BreachForums forum breached, spilling data on 325K users

Summary

BreachForums — a repeatedly resurrected marketplace for stolen data — was itself breached, leaking roughly 324,000 unique user records. The leak, which Have I Been Pwned added to its database on 10 January 2026, stems from an August 2025 incident and includes email addresses, usernames and Argon2-hashed passwords pulled from public posts, private messages and other forum records.

Resecurity’s analysis shows the dump contains PGP keys and entries tied to known cybercriminals and groups (such as GnosticPlayers), and the data was published on shinyhunte[.]rs alongside a manifesto from someone calling themself ‘James’. Timing suggests the information was exfiltrated as the forum was being restored and then shut down (most recent registrations in the leak date to 11 August 2025).

The forum admin (alias ‘N/A’) acknowledged the exposure, blaming sloppy handling during a recovery process and saying an unsecured folder storing the users table was downloaded once. Resecurity warns the publication could make it easier to identify and arrest actors previously hiding in a semi-private forum environment.

Key Points

  • About 324,000 unique user records were leaked from BreachForums; Have I Been Pwned lists the incident as BreachForums2025.
  • Leaked data includes email addresses, usernames and Argon2-hashed passwords from posts, private messages and forum records.
  • Resecurity found PGP keys and records tied to known cybercriminals and collectives, suggesting real-world identities may be exposed.
  • The breach appears to have occurred in August 2025, coinciding with the forum’s shutdown and restoration activity.
  • Data was published on shinyhunte[.]rs along with a manifesto by an individual calling themself ‘James’.
  • The forum admin admits a recovery misstep left a users table temporarily accessible; claims the data is not ‘new’.
  • Publication of the dump raises the risk that named actors will be identified and potentially arrested; VPN use in logs complicates attribution.

Context and relevance

This incident shows even illicit marketplaces built to traffic in stolen data can be weak links themselves. For defenders and investigators, leaked forum records — especially PGP keys and cross-references — are a valuable intelligence source. For security teams and individuals, it underscores that account identifiers tied to criminal forums can surface and be repurposed for attribution or further abuse.

Author’s take

Punchy: This isn’t just another dump — it’s a rare, messy snapshot of a criminal community. If you’re tracking threat actors or protecting organisations from credential-based threats, the details matter. Read the bits about timing and PGP keys; those are the threads investigators will pull.

Why should I read this?

Quick and blunt: because it’s proof that the places crooks trust can backfire spectacularly. If you care about threat intelligence, incident response or people accidentally reusing email/passwords — this story gives you the heads-up you need. It also highlights how sloppy recovery or backups can expose identities that were never meant to be public.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/12/breachforums_breach/