The BreachForums hacking forum became the victim of its own trade on January 9, 2026, when a former ShinyHunters member published the forum’s user database containing approximately 324,000 accounts. The leak includes usernames, email addresses, password hashes, and roughly 70,000 IP addresses that could help identify real-world users.
Leak overview
| Attribute | Details |
|---|---|
| Records exposed | 323,986 user accounts |
| Leak date | January 9, 2026 |
| Data cutoff | August 11, 2025 |
| Leaker identity | ”James” / “James Mathis” (former ShinyHunters) |
| Database file | databoose.sql (MyBB users table) |
| Archive name | breachedforum.7z |
| Current ShinyHunters involvement | Denied |
What was leaked
| Data type | Details | Risk level |
|---|---|---|
| Usernames | Display names for all 323,986 accounts | Identity correlation |
| Email addresses | Registration emails | Real-world identification |
| Password hashes | Argon2i format | Crackable with resources |
| IP addresses | ~70,000 public IPs (many loopback filtered) | Geographic identification |
| Telegram handles | External account links | Cross-platform correlation |
| Registration dates | Through August 2025 | Activity timeline |
| External links | Other social accounts | Identity mapping |
The August 2025 cutoff corresponds to when the previous BreachForums instance was shut down. The leaked data represents the forum’s user base at that point.
Database technical details
| Attribute | Value |
|---|---|
| Database type | MyBB users table |
| File name | databoose.sql |
| Record count | 323,988 members |
| Hash algorithm | Argon2i |
| IP count | ~70,000 (excluding loopback) |
| Forum PGP key | Also leaked |
How the breach occurred
The current BreachForums administrator (known as “N/A”) acknowledged the breach and provided technical details:
| Element | Explanation |
|---|---|
| Origin | Old users-table from August 2025 restoration |
| Vulnerability | Unsecured folder during forum migration |
| Exposure window | ”Very short period of time” |
| Downloads | Folder accessed only once |
| Content | Users table + forum PGP key |
During the forum’s restoration from the .hn domain, critical data was temporarily stored in an unsecured location. One download was enough to capture the database.
Administrator statement
“During the restoration process, the users table and the forum PGP key were temporarily stored in an unsecured folder for a very short period of time. Our investigation shows that the folder was downloaded only once during that window.”
Who is “James”?
The leak came from an individual identifying as “James” or “James Mathis,” who published the database on a website bearing the ShinyHunters name along with a lengthy 23-part manifesto.
Stated motivations
| Claim | Context |
|---|---|
| Ideological disagreement | Opposition to attacks on French organizations |
| Disillusionment | Growing dissatisfaction with group members |
| Self-description | ”Ageless and legendary hacker” operating for decades |
| Goal | Show former associates they can’t operate anonymously |
| Manifesto length | 23 parts |
ShinyHunters response
The current ShinyHunters group denied any involvement with the leak or the website distributing the archive:
“We are not affiliated with the site that distributed this archive.”
The administrator characterized “James” as a former member who left the group.
Law enforcement implications
The exposed IP addresses represent the most significant element for investigators:
| Factor | Impact |
|---|---|
| Public IPs exposed | ~70,000 (excludes loopback addresses) |
| VPN/Tor users | Likely not directly identifiable |
| Poor OPSEC users | Directly traceable to ISP/location |
| Extradition risk | Countries with treaties may pursue prosecution |
| Email correlation | Cross-reference with other breaches |
Authentication by researchers
Security firm Resecurity confirmed data authenticity:
“Some of the records identified in the database are definitely authentic and can be cross-checked with other sources regarding specific actors.”
Identification potential
| User category | Risk level |
|---|---|
| No VPN/Tor usage | High (direct IP identification) |
| Home ISP IP | High (subscriber records available) |
| Work network IP | High (employer identification) |
| VPN with logging | Medium (legal process to VPN provider) |
| Tor or no-log VPN | Low (but other data may identify) |
| Email correlation | Varies (depends on email OPSEC) |
Related law enforcement actions
June 2025 French arrests
| Administrator | Status | Age |
|---|---|---|
| Hollow | Arrested | Twenties |
| Noct | Arrested | Twenties |
| Depressed | Arrested | Twenties |
| ShinyHunters | Arrested | Twenties |
French police announced the arrest of four BreachForums administrators in June 2025.
Prior prosecutions
| Individual | Outcome |
|---|---|
| Sebastien Raoult | 3 years prison (sentenced January 2024) |
| Jurisdiction | US District Court, Seattle |
| Charges | ShinyHunters group membership |
| Extradition | Successfully extradited to US |
Pompompurin case
| Individual | Outcome |
|---|---|
| Conor Brian Fitzpatrick | Supervised release |
| Alias | Pompompurin |
| Role | Original BreachForums founder |
| Arrest | March 2023 |
BreachForums’ troubled history
| Date | Event |
|---|---|
| March 2022 | Original BreachForums launches after RaidForums seizure |
| March 2023 | FBI seizes BreachForums; founder “Pompompurin” arrested |
| June 2023 | Forum relaunches under ShinyHunters administration |
| May 2024 | FBI seizes forum again |
| June 2024 | Forum relaunches again |
| August 2025 | Forum shuts down and migrates to new infrastructure |
| January 2026 | User database leaked |
The repeated seizures and relaunches have fueled speculation that BreachForums operates as a law enforcement honeypot, at least partially. This latest leak will further erode trust among users who depend on the forum’s anonymity.
Honeypot speculation
| Evidence for | Evidence against |
|---|---|
| Multiple relaunches after seizures | Administrators arrested |
| Continued operation despite law enforcement interest | Active criminal trading |
| User data repeatedly exposed | ShinyHunters denial |
| Convenient timing of leaks | Internal disputes explain leak |
Administrator dispute
The forum administrator disputed some claims about the leak’s scope:
| Claim | Administrator response |
|---|---|
| Fresh data | Denied—data is from August 2025 backup |
| Complete database | Acknowledged users table was leaked |
| Ongoing access | Denied—single download during brief window |
| Forum compromise | Denied—only unsecured folder accessed |
Checking exposure
Have I Been Pwned has added the BreachForums dataset to its database. Affected individuals can check their exposure at haveibeenpwned.com.
| Resource | URL |
|---|---|
| Have I Been Pwned | haveibeenpwned.com |
| Dataset name | BreachForums (2025) |
| Records indexed | 323,986 |
Intelligence value
For researchers and law enforcement, the leak provides:
| Value | Application |
|---|---|
| Identity correlation | Cross-reference with other breaches |
| Email addresses | Link to real-world identities |
| IP addresses | Geographic and ISP identification |
| Telegram handles | Additional identity verification |
| Activity patterns | Registration and engagement timelines |
| Network mapping | Understand criminal relationships |
| Prosecution support | Evidence for existing investigations |
Implications
For BreachForums users
| Risk | Mitigation |
|---|---|
| Identity exposure | Likely too late if poor OPSEC was used |
| Law enforcement attention | Monitor for legal inquiries |
| Credential reuse | Change passwords on any shared credentials |
| Extortion risk | Other criminals may exploit the data |
| Phishing risk | Targeted attacks using leaked data |
For the cybercrime ecosystem
| Impact | Assessment |
|---|---|
| Trust in forums | Further eroded |
| Operational security | Renewed emphasis expected |
| Alternative platforms | Migration to other forums likely |
| Internal conflicts | ShinyHunters fracturing continues |
| Decentralization | Move to private channels |
Timeline of expected impacts
| Timeframe | Expected development |
|---|---|
| Immediate | Increased OPSEC among forum users |
| 1-3 months | Law enforcement cross-referencing |
| 3-6 months | Initial arrests in cooperative jurisdictions |
| 6-12 months | Indictments based on correlation analysis |
| 12+ months | Prosecutions and sentencing |
Context
The BreachForums leak represents a significant intelligence windfall for law enforcement agencies worldwide. The irony of a hacking forum being breached is obvious, but the real impact will unfold over months as investigators correlate the exposed data with other sources.
The leak also highlights the fragility of trust in criminal forums. When administrators can expose their entire user base through operational errors—or when disgruntled members can publish databases as revenge—the anonymity that forum users depend on becomes unreliable.
For the cybercriminals exposed in this leak, the consequences may take years to materialize as law enforcement agencies prioritize targets and build cases. The 70,000 users with exposed IP addresses face the most immediate identification risk, particularly those who accessed the forum from home or work networks without VPN protection.
The internal ShinyHunters conflict that triggered this leak demonstrates that criminal organizations face the same personnel challenges as legitimate enterprises—trust is fragile, and departing members may take valuable information with them.