BreachForums hack exposes roughly 324,000 user records from August 2025

TL;DR

A restoration-era breach of the cybercrime forum BreachForums released roughly 324,000 account records, including emails, usernames and Argon2-hashed passwords. Researchers say the dump includes PGP keys and identifiers tied to known threat actors, and the incident was added to Have I Been Pwned in January 2026.

What happened

Researchers and breach-tracking services say a copy of BreachForums account data was taken in August 2025 during the forum's recovery and later posted to a site using the shinyhunte[.]rs domain along with a manifesto from someone calling themselves "James." Have I Been Pwned logged the incident on January 10, 2026, and estimates roughly 324,000 unique email addresses were exposed. Analysis by security firm Resecurity found usernames, Argon2-hashed passwords, public and private posts, private messages, PGP keys and other forum artifacts in the dump. Some entries appear to have been altered or partially scrubbed, but investigators judged much of the material authentic. The breach predates a law-enforcement takedown of the BreachForums domain in October 2025, and timing in the dataset suggests the data was captured as the site was shutting down.

Why it matters

• Data tied to a large number of accounts on a criminal forum can be cross-referenced to deanonymize operators and associates.
• Leaked PGP keys and identifiers may enable tracing or attribution of previously semi-private communications.
• Exposure of hashed credentials increases risk of account takeover and lateral identification across other services.
• Publication of these records raises the chance of arrests and operational disruption for individuals named in the dump.

Key facts

• Incident occurred in August 2025 during BreachForums' restoration/recovery period.
• About 324,000 unique email addresses, usernames and Argon2-hashed passwords were included, per Have I Been Pwned.
• The dataset contained material from public posts, private messages and other forum records.
• Resecurity's review identified records linked to actors previously associated with groups such as GnosticPlayers.
• PGP keys tied to handles including ShinyHunters and IntelBroker appeared in the published dump.
• Some records show signs of editing or scrubbing, though Resecurity said a substantial portion appears genuine.
• IP-information in the leak—whose interpretation is complicated by VPN use—showed activity from the US, parts of Europe, and MENA (including Morocco, Jordan and Egypt).
• BreachForums' administrator (alias N/A) acknowledged the exposure, saying an unsecured folder used during restoration was briefly downloaded.

What to watch next

• Whether law enforcement action or arrests result from cross-referencing the published data: not confirmed in the source.
• Any follow-on releases or additional leaked datasets tied to BreachForums: not confirmed in the source.
• Independent verification of the identity or motives of the individual calling themselves "James": not confirmed in the source.

Quick glossary

• Argon2: A modern password-hashing algorithm designed to resist brute-force attacks and to be computationally and memory expensive for attackers.
• PGP key: A cryptographic key used to encrypt, decrypt and sign messages so correspondents can verify identity and maintain confidentiality.
• VPN: A virtual private network that routes internet traffic through an intermediary server to conceal a user's IP address and location.
• Have I Been Pwned: A service that aggregates data breach records and lets individuals check whether their email addresses or accounts appear in known compromises.
• BreachForums: A long-running online forum used as a marketplace and discussion space for stolen data and cybercrime activity.

Reader FAQ

How many user records were exposed?
Have I Been Pwned reported roughly 324,000 unique email addresses and related account records.

When did the breach happen?
The leaked data dates to August 2025, during the forum's restoration period.

Were passwords included?
The dump contained Argon2-hashed passwords, according to the reporting.

Is the person who posted the data linked to a known group?
Claims linking the poster known as "James" to ShinyHunters were made, but that connection is not independently verified in the source.

CYBER-CRIME 1 Infamous BreachForums forum breached, spilling data on 325K users Website built around buying and selling stolen data has lost control of its own Paul Kunert Mon 12 Jan 2026 // 13:07 UTC…

Sources

• Infamous BreachForums forum breached, spilling data on 325K users
• BreachForums (2025) Data Breach
• Latest BreachForums reboot spills data on 325K users
• BreachForums hacking forum database leaked, exposing …

Related posts

• The world is one bad decision away from a global silicon ice age
• Windows 2000 still in service powering a Portuguese rail ticket kiosk
• Tories Propose Banning Under-16s from Social Media and Phones in Schools