BreachForums is Back: What Do We Know?

The popular dark web forum, BreachForums, went offline in March 2023. Three months later, in June 2023, a hacker group known as ShinyHunters brought BreachForums back to life. But is it really the same forum? And will it be as successful?

BreachForums – the timeline

BreachForums, which is widely known as one of the top hacking and data breach platforms, emerged as the successor to RaidForums, a renowned hacking forum, which was seized in February 2022. Three weeks later, Pompompurin, a notable threat actor from RaidForums, introduced BreachForums as an alternative on the dark web. 

Since then until its closure in March this year, BreachForums gained over 255K registered members, serving as a leading dark web platform where users exchanged vulnerabilities, exploits, hacking, and phishing tools, leaked and stolen PII such as databases, documents, and compromised accounts, like email addresses, domains, and credit cards.

After its closure, BreachForums users were left with no choice but to shift to existing popular dark web forums such as Exploit and XSS. At the same time, new forums, such as LeakBase and Exposed, attempted to replace BreachForums, by offering discussions on hacking and a marketplace section for trading compromised data and exploits. 

Is BreachForums really back?

As we mentioned before, a new site emerged under the name BreachForums in June 2023, by the ShinyHunters hacker group. This group is a known cybercriminal gang who have hacked into Microsoft, NitroPDF, Pixlr, Mathway, Mashable, Bonobos, etc., stealing the data of millions of users in 2020 and 2021. 

Despite the fact that BreachForums is still under an FBI investigation, the group decided to publicly announce that they have relaunched the site.

Those who are familiar with the original BreachForums will immediately notice that it looks a lot like its predecessor, with an almost identical design and structure, but under different domains, including domains on the open web and on Tor.

The new BreachForums launched with many of the old stolen databases that the original BreachForums hosted. Some users have also reposted previously shared high-profile breaches, such as the December 2022 leak from the FBI’s InfraGard program, or the more recent DC Health Link breach in early March. While some users were still testing if the new forum was reliable, others have already posted new data containing leaked and stolen databases, documents, and compromised accounts. 

While many other alternative forums have emerged, as we covered before, the new BreachForums already contains a larger volume of data than any of its competitors. The new forum has already gathered over 14K registered users, including active threat actors previously operating on the original BreachForums.

New BreachForums – new challenges

The new BreachForums may have only been around for a short time, but it has already faced some challenges. The major one saw the personal data of over 4,200 of its members compromised, including nicknames, linked email addresses, IP addresses, social media identifiers, encrypted passwords, and other data. 

OnniForums, a hacking and leaks-related forum confirmed their breach by publishing a post on Twitter where they confirm that they had hacked into BreachForums. ShinyHunters informed their members about the breach on the site and advised the forum members to change their passwords, revealing that the intrusion was due to a zero-day flaw in MyBB: 

The short time it took to establish the new BreachForums shows how elusive the online cybercriminal world is and how hard it is for law enforcement to stop these illicit activities, even after arresting the admins and shutting down forums. This is another example of why monitoring the dark web in general, and more specifically platforms on the deep and dark web plays a key role in keeping organizations ahead of evolving threats.

With the constant exchange of illicit content on dark web forums, it has become crucial for enterprises and organizations to diligently monitor activities not only from this specific forum but also from the vast expanse of deep and dark web marketplaces, forums, and chat applications. In doing so, they can proactively identify and counter cyber threats to their business, data, and employees.