Cybercriminals that use the BreachForums dark web site may soon have their identities exposed after a database related to the forum was leaked online.
On Friday, a website named after the ShinyHunters hacking collective, shinyhunte[.]rs, released a Zip archive, “breachedforum.7z,” containing the SQL database, alongside a lengthy message and a PGP key, according to Resecurity.
The next day, a password for the private PGP key was published. Rescurity believes the key is used by BreachForums to sign official messages from its administrators.
The security firm urged anyone interested in the database to download it from its own site, as other sources may try to booby-trap it with malware.
“The database includes meta-data of 323,986 users extracted from MySQL DB table named ‘hcclmafd2jnkwmfufmybb_users’ relevant to MyBB, an open source forum software,” the firm explained.
“The database could be acquired as a result of a web application vulnerability in a CMS or through possible misconfiguration.”
Read more on BreachForums: French Authorities Arrest Four with Suspected Ties to Notorious BreachForums
It’s not clear how useful the information in the database will be to investigators. It includes usernames and IP addresses, but at least some of the latter are thought to be a loopback address, making it impossible to trace the individual.
“Some of the records identified in the database are definitely authentic and can be cross-checked with other sources regarding specific actors,” said Resecurity.
“However, some records have been edited, removed, or contain non-existent information (for example, replaced on IP 127.0.0.9), which is likely an OPSEC measure taken by the actors administering it.”
Also unclear is the motivation of the leaker. Accompanying the database was a lengthy manifesto authored to a “James,” which names several individuals and potential aliases: Dorian Dali (Kams), Ojeda Nahyl (N/A, Indra) and MANA (Mustapha Usman).
In response, the current administrator of BreachForums, “N/A,” posted a message to the forum, claiming “James” is a former member of ShinyHunters.
“We want to reassure you that no changes will be made, and moreover, the staff information leaked, including me, is entirely false, as is any remaining data,” they claimed.
“This James (Mathis) is a poor madman who is no longer in his right mind and is currently wanted by the police.”
A Brief History of BreachForums
The last registered user on the database is apparently August 11 2025, the date that the previous iteration of BreachForums[.]hn was closed.
That fits with N/A’s claim that the table was taken during the time BreachForums was being restored from the .hn domain, when it was temporarily stored in an unsecured folder.
The site was first launched as a successor to RaidForums, which was seized by law enforcement in 2022. Run by Conor Brian Fitzpatrick (pompompurin) until his arrest in 2023, this first iteration of BreachForums was succeeded by another run by ShinyHunters and administrator “Baphomet” until it too was seized and shuttered in 2024.
After the most recent closure in August 7 2025, a member of the ShinyHunters gang posted a message on the “Scattered Lapsus$ Hunters” Telegram channel claiming the forum was a police honeypot.
Law enforcement disrupted the operation again in October last year.
