Breached Cybercrime Forum’s Database for Sale and Shared with Have I Been Pwned

Concerns about data breaches usually revolve around consumers and their exposed information. However, it is now the hackers who are feeling the heat as the notorious Breached cybercrime forum’s database is up for sale and its member data has been shared with Have I Been Pwned.

Yesterday, the data breach notification service Have I Been Pwned announced that visitors can check if their information was compromised in a data breach of the Breached cybercrime forum.

“In November 2022, the well-known hacking forum “BreachForums” was itself breached. Later the following year, law enforcement agencies arrested the operator of the website and seized the site,” reads the announcement from Have I Been Pwned.

The breach exposed 212k records, including usernames, IP and email addresses, private messages between site members, and passwords stored as argon2 hashes.

Breached was a large hacking and data leak forum notorious for hosting, leaking, and selling data stolen from hacked companies, governments, and organizations worldwide.

After the arrest of the site’s admin Pompompurin in March 2023, the remaining administrator, Baphomet, decided to shut down the forum due to concerns that law enforcement also had access to the site’s servers.

Subsequently, Baphomet launched a new version of the forum called BFv2 with another data breach seller known as Shiny Hunters.

Did the Ransomware Attack on the Parent Company of KFC and Pizza Hut Lead to the Data Breach?

The recent ransomware attack on the kfc and pizza hut parent company has raised concerns about a potential data breach. As cybercriminals exploit vulnerabilities, it remains uncertain if sensitive data from these popular restaurant chains has been compromised. Investigations are underway to determine the extent of the breach and safeguard customer information.

A Valuable Data Source

The Breached database is currently being sold by a threat actor known as “breached_db_person.” They have shared the database with Have I Been Pwned to validate its authenticity for potential buyers.

BleepingComputer has also verified that known Breached accounts are listed in the shared member’s table.

Previous Breached admin Baphomet has confirmed the legitimacy of the database and issued a warning that its sale is part of an ongoing campaign to dismantle the community.

“Not only was the database submitted to Have I Been Pwned, but it is also being actively sold and leaked by at least one person, who even attempted to do so on our forum,” warned Baphomet.

“For that reason, I’m sure we’re going to see it become public soon enough. Judging by the 212k users, this is likely an older database from months before the closure of BFv1, considering that my last forum backup had 336k users.”

According to the seller, only law enforcement, Baphomet, and Pompompurin possess the database.

The threat actor is offering to sell the Breached database to a single buyer for $100,000 – $150,000. The database contains a snapshot of the entire dataset taken on November 29th, 2022.

The database is approximately 2 GB in size and includes all tables, such as private messages, payment transactions, and the member database.

While the FBI has already gained access to the Breached database after seizing the servers, this data remains valuable for cybersecurity researchers and potentially other threat actors.

The seller, breached_db_person, informed BleepingComputer that the private message tables contain incriminating information about forum members. Furthermore, the “members” database includes IP addresses, indicating that many threat actors do not employ good operational security and instead use residential IP addresses.

The private messages table holds great value as it contains messages exchanged privately among forum members, potentially revealing information about past attacks, identities, and other useful details.

Samples from the payments table were shared with BleepingComputer and contain information about payments made to purchase forum ranks (membership levels with additional benefits) and credits (a form of forum currency).

These payments were processed through CoinBase Commerce or Sellix, with Coinbase transactions including links to order confirmations that may contain sensitive information, such as cryptocurrency addresses and Coinbase payment IDs.

This cryptocurrency data can be valuable to blockchain analytics companies, allowing them to link threat actors to criminal activities using the cryptocurrency addresses.

Breached and its members have been responsible for numerous hacks, extortion attempts, ransomware attacks, and the leaking of stolen data from various companies. These breaches include DC Health Link, Twitter, RobinHood, Acer, Activision, and many others.

Therefore, the private messages could prove invaluable to researchers. The seller mentioned that they have already been contacted by cybersecurity firms requesting a copy of the data for their own research.

Other threat actors have also expressed interest, with one offering $250,000 for the database.

Although it is still too early to determine whether the database will be sold, even if it is, it would not be surprising for the entire dataset to be leaked for free in the future.

It is common for data breaches to initially be privately purchased and then released later to enhance reputation within the data theft community.

Recently, the seized RaidForums data breach forum also experienced a data breach, and the new BreachedForums clone (BFv2) had its database leaked.