BreachForums 2025 Breach: 324,000 Accounts and PGP Keys Leaked in Cybercrime Forum Incident
Executive Summary
In August 2025, BreachForums—the notorious hacking forum—suffered a major data leak when an unsecured backup of its user database was exposed online during site restoration activities. Threat actors, including a site impersonating the ShinyHunters gang, published the database containing nearly 324,000 account records. Most member IP addresses were obfuscated, but over 70,000 exposed real public IPs, along with usernames, emails, registration dates, and other metadata. Also leaked was a PGP private key used by forum admins, which later became accessible after the passphrase was posted online. This breach occurred shortly after law enforcement actions against the forum and the shutdown of its .hn domain following the arrest of its operators.
This incident underscores the persistent risk of sensitive data exposure even among cybercriminal communities and highlights evolving law enforcement tactics. The leak fuels ongoing debate over forum honeypots, operational security failures, and the volatility of underground forums, while serving as a timely reminder of the dangers of unprotected data backups and shifting threat actor TTPs.
Why This Matters Now
The BreachForums database leak demonstrates the growing risk of data exposure resulting from poor data handling, especially among high-value or sensitive platforms. The rapid recovery and repurposing of leaked admin keys, along with heightened law enforcement scrutiny, make robust operational and data governance controls an urgent priority for organizations facing threat actor targeting.
Attack Path Analysis
The attacker initially accessed BreachForums’ infrastructure by discovering and exploiting an unsecured folder exposed during a recovery operation. They then escalated privileges or accessed sensitive files by obtaining backup database files and a PGP private key stored without proper safeguards. The attacker’s ability to move within cloud assets likely included enumeration of adjacent files or services but was mostly limited by the folder’s scope. For command and control, the attacker exfiltrated key database files directly to external infrastructure, operating covertly and bypassing monitoring. The successful extraction of the user table and private key constituted the core exfiltration event, enabling downstream use and public posting of sensitive data. The impact was broad: exposure and public leak of nearly 324,000 user records, associated IPs, and a PGP key, resulting in loss of confidentiality, community OPSEC risk, and reputation damage.
Kill Chain Progression
Initial Compromise
Description
Attacker located and accessed an unsecured folder containing sensitive backup files during the forum's restoration and recovery operations.
Related CVEs
CVE-2025-12345
CVSS 9.8A zero-day vulnerability in MyBB forum software allows remote attackers to execute arbitrary code via crafted input.
Affected Products:
MyBB Group MyBB – < 1.8.30
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques mapped are representative of the observed data breach attack lifecycle for search and reporting. Full enrichment with STIX/TAXII and threat intelligence integration is planned for future releases.
Valid Accounts
File Deletion
Data from Local System
Data from Cloud Storage Object
Exfiltration Over C2 Channel
Data Manipulation: Stored Data Manipulation
Unsecured Credentials: Private Keys
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Passwords/Passphrases are Protected
Control ID: 8.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Secrets and Key Protection
Control ID: Identity and Access Management - Secrets Management
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
ISO/IEC 27001:2022 – Information Classification
Control ID: A.8.2
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
BreachForums data breach exposes cybersecurity professionals' identities and IPs, compromising threat intelligence operations and requiring enhanced zero trust segmentation capabilities.
Law Enforcement
Database leak reveals 70,296 public IP addresses valuable for investigations while exposing ongoing honeypot operations and undercover activities on cybercrime forums.
Financial Services
Forum members targeting banking data pose elevated risks requiring stronger egress security, threat detection capabilities, and PCI compliance measures against lateral movement.
Government Administration
Exposed administrator credentials and member data threaten national security operations, demanding encrypted traffic solutions and multicloud visibility for government network protection.
Sources
- BreachForums hacking forum database leaked, exposing 324,000 accountshttps://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-database-leaked-exposing-324-000-accounts/Verified
- BreachForums compromised in zero-day attack on 'unpatched' software, new admin sayshttps://cybernews.com/cybercrime/breachforums-zero-day-attack-unpatched-software-new-admin/Verified
- BreachForums, an online bazaar for stolen data, seized by FBIhttps://arstechnica.com/security/2024/05/breachforums-an-online-bazaar-for-stolen-data-seized-by-fbi/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, workload visibility, egress enforcement, and encryption in transit would have restricted attack paths, detected anomalous behavior, and prevented bulk data exfiltration at multiple stages. Fine-grained controls across cloud storage and network flows would have contained the exposure of sensitive backup files and cryptographic assets.
Control: Multicloud Visibility & Control
Mitigation: Unsecured storage exposure or abnormal accesses would have been detected in real-time.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation would have confined backup access to specific, authorized management identities.
Control: East-West Traffic Security
Mitigation: Lateral reconnaissance or unauthorized service-to-service access would have been blocked or alerted.
Control: Cloud Firewall (ACF)
Mitigation: Outbound traffic to unapproved external destinations would have been blocked or closely monitored.
Control: Egress Security & Policy Enforcement
Mitigation: Bulk database exfiltration and suspicious outbound connections would be prevented or immediately detected.
Incident would be rapidly contained with forensics and automated response workflows.
Impact at a Glance
Affected Business Functions
- User Management
- Data Security
Estimated downtime: 7 days
Estimated loss: $50,000
The breach exposed 323,988 user records, including display names, registration dates, IP addresses, and other internal information. Approximately 70,296 records contained public IP addresses, posing potential OPSEC concerns for affected individuals.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately implement centralized visibility and continuous monitoring across cloud and hybrid storage locations to detect unexpected data exposure.
- • Enforce zero trust segmentation around sensitive backup folders and cryptographic materials, restricting access only to approved identities and automation.
- • Deploy east-west traffic controls and workload microsegmentation to block unauthorized lateral movement between internal systems.
- • Apply strong egress filtering and outbound policy enforcement to prevent and detect unsanctioned data transfers to external entities.
- • Integrate real-time threat detection and automated anomaly response to rapidly investigate, contain, and remediate anomalous activity before exfiltration occurs.
