BreachForums 2025 Data Breach

BreachForums Cybercrime Forum Breach & Law Enforcement Seizure (2025): 672K Member Accounts Including Private Messages Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

"James" (via shinyhunte[.]rs domain; possibly ShinyHunters-linked, disputed)MisconfigurationCybercrime: Threat Actor InfrastructureEmail AddressMessages & ChatPasswordPublic User ContentUsername
High SeverityWebsite / service breach

BreachForums Cybercrime Forum Breach & Law Enforcement Seizure (2025): 672K Member Accounts Including Private Messages Exposed

Cybercrime forum used for breach trading, data leaks, and illicit discussion.

Verified by ObscureIQ Intelligence
86/100Breach Risk Index
25Data Value
60Market Recency
107dSince Breach

Breach Intelligence Summary

Entity: BreachForums · Actor: "James" (via shinyhunte[.]rs domain; possibly ShinyHunters-linked, disputed) · Sources: 2 references
Attack: Misconfiguration
Profile: Threat Actor Infrastructure · Cybercrime discussion and breach trading · Breach trading forum · Global
Timeline: Breach (2022-11-29) · Indexed (Jan 10, 2026) · Year (2025)
Exposure: 672K records · 5 fields: Email Address, Messages & Chat, Password, Public User Content, Username
Status: Confirmed

Executive Summary

BreachForums, the most prominent English-language cybercrime forum, suffered a data breach in approximately August 2025 when the forum's user table and PGP key were temporarily stored in an unsecured folder during a recovery operation following the August 11, 2025 shutdown of the breachforums.hn domain. According to the forum's administrator 'N/A,' the unsecured folder was downloaded by an unauthorized party during the brief exposure window. The breach data was distributed publicly on January 9, 2026 through the shinyhunte[.]rs domain by an actor using the alias 'James' (with the BreachForums administrator suggesting that James may be linked to the ShinyHunters extortion collective, although ShinyHunters disputed the claim). Have I Been Pwned indexed the breach on January 10, 2026. The August 2025 underlying breach predated the October 10, 2025 law enforcement seizure of BreachForums. The breach affected approximately 672,247 unique email addresses across all data tables based on records indexed by Have I Been Pwned, with the users table specifically containing 323,986 unique email addresses, usernames, and Argon2 password hashes. The total exposure includes email addresses extracted from forum posts, private messages, and other forum records in addition to the users table. Compromised fields included email addresses, usernames, passwords stored as Argon2 hashes (a substantially stronger algorithm than the salted MD5 hashes seen in earlier cybercrime forum breaches), forum posts, and private messages. The most recent registration date in the leaked database was August 11, 2025 — the same day that the breachforums.hn domain was shut down. Geographic IP analysis indicated heavy use from the United States and parts of Europe along with activity in the Middle East and North Africa including Morocco, Jordan, and Egypt. The private message exposure is particularly significant because such messages may contain direct evidence of cybercrime operations, victim targeting, payment arrangements, and operational coordination among forum members. For individuals whose email addresses appear in the BreachForums dataset, the practical risk profile is exceptionally severe and varies depending on the depth of forum participation. For users who actively participated in cybercrime through BreachForums (selling breach data, purchasing breach data, coordinating ransomware operations, participating in extortion campaigns), the breach data combined with the law enforcement seizure of forum infrastructure creates substantial criminal-prosecution risk under federal computer fraud, wire fraud, and conspiracy statutes. The Argon2 password hashing means original passwords are not easily recoverable, but the metadata exposure (email, username, IP, registration date, and any private messages) provides law enforcement with substantial evidence independent of the password recovery. The U.S. Computer Fraud and Abuse Act, federal Wire Fraud statute, and equivalent statutes in other jurisdictions may apply directly. For users who participated in BreachForums only as observers or for security research purposes, the breach exposure may create employment or professional consequences depending on the jurisdiction and the user's actual activity. Affected users should change any reused passwords on other accounts because the password exposure means any account where the same password was reused is potentially compromised. Users whose private messages may contain evidence of criminal activity should consult with legal counsel regarding their specific exposure.

ObscureIQ assessment: Exposure enables criminal-network mapping, retaliation, blackmail, and law-enforcement targeting. Forum activity can also reveal who traded or discussed specific breach datasets.

Breach Impact

The institutional impact on BreachForums has been effectively terminal in its current iteration, with the October 2025 seizure including the forum's domains, backend servers, and database backups extending back to 2023. The administrators have publicly stated that 'BreachForums is never coming back, if it comes back, it should immediately be considered a honeypot.' The case has been broadly cited in international cybersecurity coverage as a major law enforcement victory against cybercrime forum infrastructure, although commentators including security researcher Graham Cluley have noted that the takedown may be more symbolic than final because dark-web variants of BreachForums remain partially active. The combination of law enforcement seizure of the forum infrastructure and the parallel data breach of the user table provides law enforcement with substantial evidence for ongoing prosecution of forum members. The case has been formally cited as illustrating both the cumulative effectiveness of multiple coordinated takedowns and the resilience of underground cybercrime infrastructure across multiple iterations.

About BreachForums

BreachForums was the most prominent English-language cybercrime forum dedicated to the trading and discussion of stolen data, breach datasets, hacking tools, ransomware operations, and related illicit services. The forum operated as the successor to RaidForums (which was seized by U.S. authorities in 2022), with multiple successive iterations operated under different administrators after each law enforcement takedown. The 2025 incarnation operated at the breachforums.hn domain and was administered by individuals including Baphomet and members of the ShinyHunters extortion group. BreachForums' content directly facilitated federal felony-level cybercrime activity including the sale of breach datasets containing stolen personal information, payment card data, corporate credentials, and access to compromised networks. As cybercrime forum infrastructure, BreachForums maintained extensive user accounts, public forum posts, and private messages that documented members' direct participation in cybercrime operations.

Why They Hold Your Data

Cybercrime forums collect user accounts, messages, trade histories, service listings, and discussion records tied to breach trading and illicit data exchange.

Recent Developments

BreachForums was seized by U.S. and international law enforcement on October 10, 2025 in a coordinated operation involving the FBI, U.S. Department of Justice, France's BL2C cybercrime unit, the Paris Prosecutor's Office, and France's National Jurisdiction against Organised Crime (JUNALCO). The breachforums.hn domain was redirected to display a multi-agency seizure banner inviting victims and former forum members to provide information through the FBI's Internet Crime Complaint Center (IC3). The October 2025 seizure was the fourth major law enforcement disruption of BreachForums and its predecessors: RaidForums was seized in 2022, BreachForums v1 (operated by Conor Brian Fitzpatrick under the alias 'Pompompurin') was shut down in March 2023 after Fitzpatrick's arrest and subsequent three-year prison sentence, BreachForums v2 (operated by Baphomet and ShinyHunters) was seized in May 2024 with Baphomet reportedly arrested, and the 2025 reincarnation was seized in October 2025 with five additional individuals reported as taken into custody. The 2025 BreachForums had operated as both a discussion forum and as an extortion platform tied to the Scattered LAPSUS$ Hunters Salesforce extortion campaign targeting Adidas, Cartier, Chanel, Cisco, FedEx, IKEA, McDonald's, Qantas, Toyota, Walgreens, and other major corporations.

Data Points Exposed

5 verified field types
Email Address
Messages & Chat High
Password Critical
Public User Content
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Blackmail, relationship fraud & business intelligence theft
  • Credential stuffing & account takeover
  • Doxing & reputation attack
  • Cross-platform tracking & credential stuffing

Threat Actor: "James" (via shinyhunte[.]rs domain; possibly ShinyHunters-linked, disputed)

"James" (via shinyhunte[.]rs domain; possibly ShinyHunters-linked, disputed)
Misconfiguration

Attribution and method are based on available breach intelligence. Reported attack vector: Misconfiguration.

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the BreachForums breach?

BreachForums, the most prominent English-language cybercrime forum, suffered a data breach in approximately August 2025 when the forum's user table and PGP key were temporarily stored in an unsecured folder during a recovery operation following the August 11, 2025 shutdown of the breachforums.hn…

What data was exposed?

Verified fields include Email Address, Messages & Chat, Password, Public User Content, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation