While consumers are usually the ones worried about their information being exposed in data breaches, it’s now the hacker’s turn, as the notorious Breached cybercrime forum’s database is up for sale and member data shared with Have I Been Pwned.
Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.
“In November 2022, the well-known hacking forum “BreachForums” was itself, breached. Later the following year, the operator of the website was arrested and the site seized by law enforcement agencies,” reads the HIBP announcement.
“The breach exposed 212k records including usernames, IP and email addresses, private messages between site members and passwords stored as argon2 hashes.”
Breached was a large hacking and data leak forum notorious for hosting, leaking, and selling data stolen from hacked companies, governments, and organizations worldwide.
After the FBI arrested the site’s admin Pompompurin in March 2023, the remaining administrator, Baphomet, decided to shut the forum down after believing that law enforcement also had access to the site’s servers.
Baphomet later launched a new Breached Forums clone (called in this article BFv2) with another data breach seller known as Shiny Hunters.
The Breached database is currently being sold by a threat actor going by the name ‘breached_db_person,” they shared the database with Have I Been Pwned to prove its authenticity to potential buyers. Breached accounts are listed in the shared member’s table.
Previous Breached admin Baphomet has also confirmed the authenticity of the database, warning that its sale is part of a “continued campaign attempting to destroy the community.”
“Not only was the database submitted to HIBP, but it’s being actively sold/leaked by at least one person – even attempting to do so on our forum,” warned Baphomet.
“For that reason I’m sure we’re going to see it public soon enough. Judging by the 212k users, this is likely an older database months before the closing of BFv1, seeing that my last backup of the forum has 336k users.”
Other than law enforcement, the seller said that only they, Baphomet, and Pompompurin have possession of the database.
The threat actor says they are selling the Breached database to only one person for $100,000 – $150,000 and that it contains a snapshot of the entire database taken on November 29th, 2022. The database is 2 GB and contains all tables, including those for private messages, payment transactions, and the member database.
While the FBI already revealed that they gained access to the Breached database after they seized the servers, this data can still be valuable for cybersecurity researchers and potentially other threat actors.
The seller, breached_db_person, told BleepingComputer that the private message tables have a lot of incriminating information about forum members and that the ‘members’ database contains IP addresses showing that many threat actors don’t follow good operational security by using residential IP addresses.
The private messages table is valuable as it contains messages sent privately between the different members of the forum, potentially revealing information on past attacks, identities, and other useful information.
Samples of the payments table were shared and contain information on payments made to purchase forum ranks (membership levels with extra benefits) and credits (a form of currency used on the forum).
These payments were processed through CoinBase Commerce or Sellix, with the Coinbase transactions including links to order confirmations containing sensitive information, such as cryptocurrency addresses and Coinbase payment IDs.
This cryptocurrency data can be useful to blockchain analytics companies, who can use the cryptocurrency addresses to link threat actors to criminal activity.
Breached and its members have been responsible for a wide range of hacks, extortion attempts, ransomware attacks, and the leaking of stolen data for many companies. These breaches include DC Health Link, Twitter, RobinHood, Acer, Activision, and many more.
Therefore, the private messages could be invaluable for researchers, with the seller stating that they have already been contacted by cybersecurity firms requesting a copy of the data for their own research.
Other threat actors are also showing interest, with the seller saying they received an offer for $250,000.
While it is too soon to tell whether the database will ultimately be sold, even if it is, it would not be surprising for the entire database to be leaked for free in the future.
It is common for data breaches to first be purchased privately and then released later to increase reputation among the data theft community.
Just recently, the seized RaidForums data breach forum also suffered a data breach, and the new BreachedForums clone (BFv2) had its database leaked.