BreachForums, the most prominent English-language cybercrime forum, suffered a data breach in approximately August 2025 when the forum's user table and PGP key were temporarily stored in an unsecured folder during a recovery operation following the August 11, 2025 shutdown of the breachforums.hn domain. According to the forum's administrator 'N/A,' the unsecured folder was downloaded by an unauthorized party during the brief exposure window. The breach data was distributed publicly on January 9, 2026 through the shinyhunte[.]rs domain by an actor using the alias 'James' (with the BreachForums administrator suggesting that James may be linked to the ShinyHunters extortion collective, although ShinyHunters disputed the claim). Have I Been Pwned indexed the breach on January 10, 2026. The August 2025 underlying breach predated the October 10, 2025 law enforcement seizure of BreachForums.

The breach affected approximately 672,247 unique email addresses across all data tables based on records indexed by Have I Been Pwned, with the users table specifically containing 323,986 unique email addresses, usernames, and Argon2 password hashes. The total exposure includes email addresses extracted from forum posts, private messages, and other forum records in addition to the users table. Compromised fields included email addresses, usernames, passwords stored as Argon2 hashes (a substantially stronger algorithm than the salted MD5 hashes seen in earlier cybercrime forum breaches), forum posts, and private messages. The most recent registration date in the leaked database was August 11, 2025 — the same day that the breachforums.hn domain was shut down. Geographic IP analysis indicated heavy use from the United States and parts of Europe along with activity in the Middle East and North Africa including Morocco, Jordan, and Egypt. The private message exposure is particularly significant because such messages may contain direct evidence of cybercrime operations, victim targeting, payment arrangements, and operational coordination among forum members.

For individuals whose email addresses appear in the BreachForums dataset, the practical risk profile is exceptionally severe and varies depending on the depth of forum participation. For users who actively participated in cybercrime through BreachForums (selling breach data, purchasing breach data, coordinating ransomware operations, participating in extortion campaigns), the breach data combined with the law enforcement seizure of forum infrastructure creates substantial criminal-prosecution risk under federal computer fraud, wire fraud, and conspiracy statutes. The Argon2 password hashing means original passwords are not easily recoverable, but the metadata exposure (email, username, IP, registration date, and any private messages) provides law enforcement with substantial evidence independent of the password recovery. The U.S. Computer Fraud and Abuse Act, federal Wire Fraud statute, and equivalent statutes in other jurisdictions may apply directly. For users who participated in BreachForums only as observers or for security research purposes, the breach exposure may create employment or professional consequences depending on the jurisdiction and the user's actual activity. Affected users should change any reused passwords on other accounts because the password exposure means any account where the same password was reused is potentially compromised. Users whose private messages may contain evidence of criminal activity should consult with legal counsel regarding their specific exposure.

Cybercrime forums collect user accounts, messages, trade histories, service listings, and discussion records tied to breach trading and illicit data exchange.

BreachForums was seized by U.S. and international law enforcement on October 10, 2025 in a coordinated operation involving the FBI, U.S. Department of Justice, France's BL2C cybercrime unit, the Paris Prosecutor's Office, and France's National Jurisdiction against Organised Crime (JUNALCO). The breachforums.hn domain was redirected to display a multi-agency seizure banner inviting victims and former forum members to provide information through the FBI's Internet Crime Complaint Center (IC3). The October 2025 seizure was the fourth major law enforcement disruption of BreachForums and its predecessors: RaidForums was seized in 2022, BreachForums v1 (operated by Conor Brian Fitzpatrick under the alias 'Pompompurin') was shut down in March 2023 after Fitzpatrick's arrest and subsequent three-year prison sentence, BreachForums v2 (operated by Baphomet and ShinyHunters) was seized in May 2024 with Baphomet reportedly arrested, and the 2025 reincarnation was seized in October 2025 with five additional individuals reported as taken into custody. The 2025 BreachForums had operated as both a discussion forum and as an extortion platform tied to the Scattered LAPSUS$ Hunters Salesforce extortion campaign targeting Adidas, Cartier, Chanel, Cisco, FedEx, IKEA, McDonald's, Qantas, Toyota, Walgreens, and other major corporations.