Cyber Incident Victim: BreachForums
Date:
Jun 2023
Location:
United States of America
Summary
A cybercrime forum known as BreachForums was hacked by rival threat actors, resulting in the theft and publication of its user database. The leak was confirmed as legitimate and contained information for 4,700 registered users, including usernames, email addresses, passwords with cryptographic salts, and user activity data. This incident occurred shortly after the forum was resurrected by former members following the arrest of its original founder.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2023, a new cybercriminal website administrator posted a database containing details of former members of RaidForums, the now-defunct predecessor to the original BreachForums. This event signaled ongoing instability within the cybercrime marketplace community following the arrest of Conor Brian Fitzpatrick, also known as Pompompurin, which led to the demise of the original BreachForums. Shortly thereafter, a new version of BreachForums was resurrected, allegedly launched by the notorious hacker collective SkinnyHunters. This reincarnated site offered to restore the coveted ranking numbers former members had earned on the original platform, pending verification by its current administrators. It appeared the new owners had collaborated with the former main administrator of BreachForums, Baphomet, who had been second in command prior to the site's collapse. Concurrently, the domain of the original BreachForums displayed a message warning users that the forum was never coming back and that any site claiming to be the real thing should be used with extreme caution. The warning explicitly stated, "The BreachForums clone has already been hacked. Do not trust websites impersonating, as said multiple times it won’t be returning."
Not even a week after this resurrected BreachForums site launched, it was compromised. Users on rival cybercrime marketplaces began sharing a database containing the details of 4,700 users who had registered on the new forum. The Cybernews research team investigated and confirmed the leaked database was legitimate and contained information pertaining to users of the resurrected BreachForums. The stolen data was comprehensive, including usernames, passwords, cryptographic salt values, login keys, user email addresses, the number of posts users had made, the number of threads started by users, and various other pieces of user activity data. This breach exposed the entire user base of the new forum, compromising their credentials and their level of engagement on the illicit platform.
According to a security researcher, Alon Gal, one of the main contender forums aiming to fill the vacuum left by the original BreachForums recently had its domain seized by the U.S. Department of Justice and Europol. The administrators of this particular rival forum claimed they were responsible for the hacking of the new BreachForums leak. This act of hacking a competing cybercrime forum and publicly leaking its user database was a significant event within the underground community, demonstrating the intense rivalry and lack of trust among these groups. The leak was publicly shared on these rival marketplaces, ensuring wide distribution of the compromised data.
The impact of this incident was immediate and severe for the affected users. Their credentials, including hashed passwords and salts, were exposed, making them vulnerable to credential stuffing attacks and account takeovers on other platforms if they reused passwords. The exposure of email addresses associated with criminal activity potentially placed individuals at risk of identification and legal repercussions. The leak also revealed the users' levels of activity on the forum, which could be used to gauge their significance or involvement within the cybercriminal community. For the resurrected BreachForums site itself, the hack represented a catastrophic loss of credibility and security, effectively crippling the new operation shortly after its launch and validating the warnings posted on the original domain.
The response to the incident was multifaceted. The rival forum administrators who claimed responsibility for the hack used the leak as a public demonstration of their capability and as a tool to discredit a competitor. The Cybernews research team played a key role in the response by independently analyzing the leaked data and publicly confirming its authenticity, which provided reliable information to the security community and potential victims. The warning message on the original BreachForums domain served as an ongoing public service announcement, urging extreme caution and reiterating that any impersonating forums were untrustworthy and had already been compromised. This wave of new cybercrime forums and the subsequent infighting caused significant concern within the cybercrime community itself. There was growing suspicion that at least a few of the newcomer forums had been established by law enforcement agencies as honeypots designed to trick criminals into revealing their identities and activities. This environment of paranoia and mistrust complicated the landscape for actors seeking a new platform following the takedowns of RaidForums and the original BreachForums. The incident underscored the chaotic and volatile nature of the cybercrime ecosystem, where even platforms designed for illicit activities are frequent targets of attacks by other malicious actors, leading to a continuous cycle of compromise and data exposure.