Cyber Incident Victim: Cracked.to
Date:
Jul 2019
Location:
United States of America
Summary
A rival hacking group breached a cybercrime-focused forum, exposing over 321,000 members' data including email addresses, IPs, usernames, private messages, and bcrypt-hashed passwords. The attackers obtained the database through an exploit or unauthorized access to backups, revealing discussions on illicit activities such as selling compromised Fortnite accounts and exploiting WinRAR vulnerabilities. Prior security improvements by the forum, including upgrading password storage to robust bcrypt hashing, significantly reduced the breach's severity by protecting most credentials from easy decryption. Private messages were leaked in plaintext, potentially exposing user identities despite some anonymization efforts. The forum administrator acknowledged the leak's gravity, particularly concerning private communications, and vowed retaliation against those responsible for distributing the data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 21, 2019, hackers from the Raidforums platform breached the rival hacking forum Cracked.to, obtaining a database containing records for over 321,000 members. The attackers published this data on Raidforums.com on August 9, 2019, exposing 749,161 unique email addresses alongside usernames, IP addresses, private messages, and passwords stored as bcrypt hashes. The 2.11GB database dump originated from Cracked.to's MyBB forum software and included nearly 397,000 private messages revealing discussions about illegal activities. These communications included transactions involving cracked *Fortnite* accounts with stolen skins, methods for altering compromised account credentials, and advertisements for exploits targeting the critical WinRAR vulnerability CVE-2019-20250. While many users likely employed Tor or anonymization tools, the exposure of registration IP addresses and login histories created potential identification risks for individuals who had reused identifiable credentials or IPs.
Cracked.to administrators had proactively upgraded their password hashing system months prior to the breach, replacing MyBB's weak default scheme with bcrypt hashing at a work factor of 12. This implementation significantly limited the breach's damage by making password cracking computationally infeasible for most accounts, though weak passwords remained vulnerable. Following the leak, Cracked.to mandated password resets for all users. Forum administrator "floraiN" confirmed the breach stemmed from a trusted individual's unauthorized access to outdated database backups, not a live system compromise. The exposed private messages—stored unencrypted—were identified as the most severe consequence, as they contained unambiguous evidence of illicit transactions. floraiN acknowledged the risks posed by exposed IP address logs from users' first and most recent visits while vowing retaliation against both the leaker and Raidforums for distributing the data. Forensic analysis by HaveIBeenPwned validated the dataset's authenticity and scope, though the exact infiltration method remained unconfirmed, with Raidforums' operator "Omnipotent" vaguely attributing it to an unspecified exploit.