Cyber Incident Victim: OGUsers
Date:
May 2019
Location:
United States of America
Summary
A notorious online forum facilitating the trade of stolen social media and gaming accounts was compromised through a vulnerability in a custom plugin, resulting in unauthorized access to a historical backup containing sensitive user data. The breach exposed usernames, MD5-hashed passwords, email addresses, IP logs, private messages, and internal website code, prompting widespread user abandonment due to fears of law enforcement scrutiny and retaliatory account takeovers. The administrator acknowledged the incident as the platform's first significant security failure, citing relentless targeting by malicious actors, while members described the event as catastrophic and potentially existential for the community.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 16, 2019, the administrator of OGUsers Forum, known as Ace, publicly disclosed a security breach affecting the platform, which served as a marketplace for trading stolen social media and online service accounts. The compromise occurred when attackers exploited a vulnerability in a custom plugin within the forum’s software, gaining access to a server backup dated December 26, 2018. The breach was independently verified by Motherboard journalists, who confirmed the authenticity of the leaked database by locating test accounts they had previously registered on the forum. OGUsers, colloquially referred to as OGU by its members, had operated for nearly three years prior to the incident, primarily facilitating the sale of “OG” (short, rare, or desirable) usernames for platforms including Instagram, Twitter, PlayStation Network, Steam, and Domino’s Pizza. The forum had also become a hub for hackers specializing in account takeover techniques such as SIM swapping, where attackers hijack victims’ phone numbers to bypass authentication and steal accounts.
The compromised data included forum usernames, MD5-hashed passwords, email addresses, IP addresses, website source code, private messages, and internal site data. A hacker using the alias Omnipotent publicly announced the breach on RaidForums, another cybercrime platform, amplifying its visibility. Members expressed severe distress over the exposure, with one describing the incident as “like a nuke dropped on the site” and noting widespread abandonment of the forum due to fears of law enforcement scrutiny or retaliatory attacks. The leak of private messages was particularly concerning, as some users relied exclusively on the forum’s messaging system for communications, potentially exposing criminal collaborations or personal identifiers. Ace issued an apology on the forum, acknowledging members’ frustrations while comparing the breach to incidents at major companies like Twitter and Facebook. Despite this, Ace did not respond to direct requests for comment from Motherboard. The breach exacerbated existing distrust within the community, with members predicting the forum’s imminent collapse if further disruptions occurred.