Leaked RaidForums Database Exposes User Information
An online database for the infamous hacking forum, RaidForums, was recently leaked online, providing insight into the users who frequented the site for both threat actors and security researchers alike.
RaidForums was a well-known forum for data leaks and hacking, where stolen data from breached organizations was hosted, leaked, and sold. Threat actors who accessed the site would obtain customer information by hacking into websites or accessing exposed database servers, and then selling the data to other threat actors for use in phishing attacks, cryptocurrency scams, or malware distribution.
When data wasn’t sold or some time had passed, it was often leaked on RaidForums to gain a reputation among the community. However, in April 2022, the website and infrastructure were seized by international law enforcement, leading to the arrest of the site’s administrator and accomplices. Following the shutdown of RaidForums, users migrated to a new forum, Breached, which was also shut down in March 2023 after the site’s founder and owner was arrested by the FBI.
Recently, a new forum called ‘Exposed’ was launched to fill the void left behind by Breached and has already gained popularity. One of the site’s admins, known as ‘Impotent,’ leaked the RaidForums member database, exposing a significant amount of information to other threat actors, researchers, and potentially law enforcement.
The leaked data consists of a single SQL file for the ‘mybb_users’ table, which RaidForums’ forum software used to store registration information. This table contains the registration information for 478,870 members, including usernames, email addresses, hashed passwords, registration dates, and other forum software-related information. The table contains member information for users who registered between March 20th, 2015, and September 24th, 2020, indicating when the database was likely dumped. Impotent claims that some members have been removed from the database, and it is unknown when or why the dump was created.
BleepingComputer has confirmed that the information for numerous accounts in the database contains known registration information. Additionally, members of the Exposed forum have also confirmed that their information is in the MySQL table, indicating that the leaked table is legitimate.
Although it is likely that law enforcement already has access to this database, it could still be useful for security researchers to build profiles of threat actors. By using the leaked registration information, researchers can learn more about the threat actors and potentially link them to other malicious activities.