The newest version of the infamous BreachForums cybercrime marketplace has reportedly experienced another security lapse, with its user database table appearing online.
BreachForums refers to a succession of underground hacking forums commonly used for buying, selling, and leaking stolen data, as well as offering access to compromised corporate networks and other illicit cyber services. The platform emerged after RaidForums was taken down by law enforcement and its alleged operator, known as “Omnipotent,” was arrested.
Despite facing previous data breaches and repeated law enforcement interventions, BreachForums has consistently resurfaced under new domains. This pattern has led some observers to speculate that the forum may now be operating as a law-enforcement honeypot.
Recently, a website bearing the name of the ShinyHunters extortion group published a 7Zip archive titled breachedforum.7z. The archive includes three files:
- shinyhunte.rs-the-story-of-james.txt
- databoose.sql
- breachedforum-pgp-key.txt.asc
A spokesperson for the ShinyHunters extortion group told BleepingComputer that they are not connected to the site hosting the archive.
The file breachedforum-pgp-key.txt.asc contains a private PGP key created on July 25, 2023, which BreachForums administrators previously used to sign official communications. Although the key has been exposed, it is protected by a passphrase, preventing misuse without the correct password.
Meanwhile, the databoose.sql file is reportedly a MyBB users table (mybb_users) holding details of 323,988 accounts. The leaked data includes usernames, registration timestamps, IP addresses, and other internal forum information.
According to BleepingComputer’s review, most IP addresses in the dataset resolve to a loopback address (127.0.0.9), limiting their investigative value. However, around 70,296 records do not use this local IP and instead resolve to public addresses. These entries could pose operational security risks to affected users and may be useful to law enforcement or cybersecurity analysts.
The most recent registration date in the leaked database is August 11, 2025—the same day the previous BreachForums instance at breachforums[.]hn was taken offline following arrests linked to its alleged operators. On that day, a ShinyHunters member posted in the “Scattered Lapsus$ Hunters” Telegram channel, alleging that BreachForums was a law-enforcement trap, a claim later denied by forum administrators.
In October 2025, the breachforums[.]hn domain was formally seized after being repurposed for extortion campaigns tied to large-scale Salesforce data thefts attributed to the ShinyHunters group.
The current BreachForums administrator, operating under the alias “N/A,” has confirmed the latest incident. According to the administrator, a backup of the MyBB users table was briefly left in an unsecured directory and downloaded only once.
“We want to address recent discussions regarding an alleged database leak and clearly explain what happened,” N/A wrote on BreachForums.
“First of all, this is not a recent incident. The data in question originates from an old users-table leak dating back to August 2025, during the period when BreachForums was being restored/recovered from the .hn domain.”
“During the restoration process, the users table and the forum PGP key were temporarily stored in an unsecured folder for a very short period of time. Our investigation shows that the folder was downloaded only once during that window.”
While N/A advised members to rely on disposable email addresses and emphasized that most IPs were local, the exposed data could still attract interest from investigators.
Following publication of the article, cybersecurity firm Resecurity informed BleepingComputer that the website hosting the archive has now been updated to include the passphrase for BreachForums’ private PGP key. Another independent security researcher confirmed that the disclosed password successfully unlocks the key.
