BreachForums Data Breach and Dark Web Data Leaks
A major data breach has exposed the entire user database of BreachForums, a prominent English-language hacking forum on the dark web. The breach was announced on the shinyhunte[.]rs platform, which published a message and made the leaked database available for download and analysis. BreachForums, which had previously replaced RaidForums after its seizure, has been a central hub for cybercriminal activity, including the distribution of stolen data and hacking tools. The forum has faced multiple shutdowns and seizures, but continued to operate under new management and through various hosting providers and domains.
In addition to the BreachForums breach, recent activity on dark web forums has included the sale and sharing of data from a South Korean university and a Saudi Arabian employment platform. These incidents highlight the ongoing risks posed by data leaks and breaches on dark web marketplaces, where sensitive information is traded and discussed. Security researchers have made related indicators of compromise (IOCs) and analysis available to subscribers, emphasizing the need for vigilance among organizations whose data may be exposed in such forums.
Related Entities
Threat Actors
Organizations
Sources
5 more from sources like rescana blog, haveibeenpwned, bleeping computer, resecurity blog and ahnlab asec blog
Related Stories
Law Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
5 months ago
Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple **alleged data leaks** affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim **Republic (republic.com)** user data (~4.94M users) was listed for sale for **$2,400**, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of **rueducommerce.fr** user data (linked in reporting to **Carrefour**) totaling ~2.17M records with similar PII, as well as alleged leaks involving **Dunzo** (~3.4M records) and **Menulux** (~93K records). Additional reporting highlighted a historical breach dataset for the **YouHack** forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to **buylottoonline.com** (~38.5K email records). One of the most consequential claims involved **Salesfloor / People Powered E-Commerce (salesfloor.net)**, attributed in reporting to **LAPSUS$**, alleging theft of roughly **4 TB uncompressed** (1 TB compressed) data including **source code, logs, and customer information**, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: **Zoom Node MMRs** command injection (**CVE-2026-22844**, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; **SmarterMail** auth bypass (**CVE-2026-23760**) enabling admin password reset via `force-reset-password` and potential RCE; **Vite** improper access control (**CVE-2025-31125**) enabling sensitive file exposure via query parameters such as `?inline&import` / `?raw&import` (noted as added to CISA KEV); and **Appsmith** password-reset token exposure (**CVE-2026-22794**) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to *Appsmith* 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
1 months ago
Dark Web Leak Claims Target Colis Privé and Multiple Online Services
Dark web monitoring reports described **unverified data leak claims** involving several organizations, including French parcel delivery firm **Colis Privé**. One post on **BreachForums** allegedly offered an upload of **22,564,381 records** attributed to Colis Privé, described as `.jsonl` files totaling **~4.1 GB**; no specific threat actor attribution or company confirmation was cited, and the notice characterized the situation as informational while scope is assessed. If authentic, the scale and format of the dataset would materially increase risk of **identity theft, credential stuffing, and targeted phishing** against customers. Separate dark web forum posts also alleged database exposures affecting **JobsGO** (Vietnam recruitment platform), **MyVete** (veterinary management platform), **PIXPAY** (Senegalese payment service), and **Groupe Fondasol** (France-based engineering). The claimed datasets reportedly include **CV/personal records**, and in some cases **API credentials and employee metadata**, with example figures including **~2.3 million records** for JobsGO and **~5.57 million records** for MyVete (verification not indicated). Across the claims, the primary business risk is downstream abuse of exposed personal and operational data for **social engineering, recruitment fraud, and account takeover**, rather than immediate exploitation of a specific software vulnerability.
1 months ago