BreachForums v1 Database Leak: A Crucial OPSEC Challenge for Modern Hackers

Imagine having a treasure chest filled with all sorts of valuable information about a hacking community – the kind of data that could expose their identities, activities, and communication trails. That’s exactly what happened when the entire database for the infamous BreachForums v1 hacking forum was released on Telegram. The treasure trove included members’ information, private messages, cryptocurrency addresses, and every post on the forum.

This data came from a database backup allegedly sold by Conor Fitzpatrick, aka Pompompurin. Back in 2022, after the RaidForums hacking forum was seized, Fitzpatrick launched BreachForums v1. Unfortunately for him, it was later seized by the FBI after his arrest.

While out on bail, Fitzpatrick supposedly sold this database in July. Since then, it has been circulating among various threat actors, with one trying to sell it for a whopping $150,000 later that month.

Although the database had been shared with Have I Been Pwned at that time, it wasn’t publicly released until recently.

A slow but steady leak

Over the past weekend, there has been a constant trickling of data from the BreachForums v1 database.

Everything started with the threat actor Emo releasing a limited export of member data, including names, email addresses, and IP addresses, after being banned from the current version of BreachForums.

As tension continued to rise among the BreachForum community members, Emo decided to leak the entire database on Tuesday night, revealing a massive amount of additional data.

In a Telegram post, Emo stated, “This database includes everything, Private Messages, Threads, Payment logs, detailed IP logs for each user, etc. I originally only leaked the user table to discourage it from being sold behind the scenes by BreachForum staff, however it’s become apparent that so many people have the database now that it being leaked is an inevitability. This will give everyone a chance to review their records and fix holes in their OPSEC.”

We have obtained the database and can confirm that it is a complete backup of the MyBB forum created on November 28th, 2022, at about 7 PM ET. It contains all the forum data, including members’ hashed passwords, private messages between users, cryptocurrency addresses used to purchase forum credits, and every post on the site.

The private messages are particularly incriminating, as they reveal threat actors discussing their exploits, expressing interest in purchasing access to networks, or seeking access to the latest stolen data.

The data also includes cryptocurrency addresses used to buy site credits, which allowed members to view hidden content in forum posts. This information will enable crypto intelligence firms to link historical cryptocurrency payments to specific threat actors.

While law enforcement has had access to this database since they seized the site and arrested its owner in 2023, other threat actors, journalists, and researchers are only now getting a chance to examine it.

Although the data is almost two years old, it will still serve as an operational security (OPSEC) test for many threat actors who used the forums. OPSEC is a method employed to protect sensitive information that could be utilized by adversaries to gain an advantage or identify you.

Did the hacking forum members practice proper OPSEC by using VPNs or Tor when connecting to the site, using private email addresses, or effectively concealing their identities? That remains to be seen as researchers and journalists use this data to build threat actor profiles and link them to other malicious activities.

With this new information in hand, it’s crucial to stay vigilant and proactive in protecting your online presence. IT Services is here to help you navigate the ever-evolving world of cybersecurity. Contact us to keep coming back for more valuable insights and support in securing your digital life.