Cyber Incident Victim: Exposed
Date:
May 2023
Location:
United States of America
Summary
A new hacking forum named 'Exposed' leaked a database containing registration details of 478,000 members from the notorious RaidForums platform, exposing usernames, email addresses, hashed passwords, and other account-related information. The compromised data, spanning several years of user registrations, provides threat actors and researchers with insights into individuals previously involved in trading stolen data, following the earlier seizures of RaidForums and its successor Breached by law enforcement. The leak was initiated by an administrator of the Exposed forum, who claimed the database dump was not originally intended for public release but decided to share it while withholding specifics about its source, retaining most records after minor removals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The RaidForums hacking forum, operational from at least 2015 until its seizure in April 2022, served as a prominent platform for threat actors to trade stolen data. Law enforcement agencies dismantled the forum and arrested its administrator, known as "Omnipotent," along with two accomplices, following an international operation. RaidForums facilitated the sale and distribution of databases stolen from breached organizations, with threat actors using compromised data for phishing, scams, and malware distribution. After its shutdown, users migrated to Breached, a successor forum that operated until March 2023. Breached ceased operations after its founder, "Pompompurin," was arrested by the FBI, and remaining administrators grew concerned about law enforcement access to their infrastructure. In May 2023, a new forum named "Exposed" emerged to fill the void left by Breached’s closure, rapidly gaining traction within the cybercriminal community. On May 29, 2023, an Exposed administrator using the alias "Impotent" leaked a database containing registration details of 478,870 RaidForums members. The leaked data, stored in a SQL file labeled "mybb_users," spanned user registrations from March 20, 2015, to September 24, 2020, though the exact creation date of the database dump remains unclear.
The leaked RaidForums member information included usernames, email addresses, hashed passwords, registration dates, and other forum-related metadata. Impotent claimed the database retained 99% of original records, with selective removals to "cause no drama," though the criteria for these omissions were not disclosed. BleepingComputer verified the authenticity of the leak by cross-referencing known account details, while Exposed forum members confirmed their personal information appeared in the dataset. Although law enforcement likely obtained the database during the 2022 seizure, the public exposure provided threat actors and researchers unprecedented access to profiles of individuals involved in historical cybercrime activities. Impotent stated the leak was initially unintended but decided to release it publicly without revealing the data’s origin. Security researchers anticipated the leak could aid in linking threat actors to past breaches or malicious campaigns through email and username correlations. The incident underscored the persistent circulation of historical cybercrime data within successor forums, despite law enforcement disruptions of major platforms like RaidForums and Breached.