ShinyHunters Leaks 300,000 BreachForums User Records After Exiting Forum
ShinyHunters said it has abandoned BreachForums and released an updated database affecting more than 300,000 users of the cybercrime marketplace. Reports say the leak goes beyond basic credentials and includes full account profile and activity data, including usernames, email addresses, hashed passwords, salts, IP addresses, login metadata, and forum activity timestamps.
The group said maintaining the forum ecosystem became a "waste of time" after the FBI seizure of BreachForums and claimed that all currently active BreachForums domains are fake. ShinyHunters also threatened to publish fuller backups — including private messages, posts, and additional user data — unless the remaining forums shut down, while asserting it holds exploits for all MyBB 1.8 versions; the identity of the operators behind current BreachForums instances remains unclear, with speculation ranging from opportunistic criminals to possible law enforcement honeypots.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
French report says BreachForums shifted to retaliatory targeting of French organizations
A French Interior Ministry cybercrime report said BreachForums had recently increased claims involving French organizations in an apparent retaliatory posture toward French authorities. The report also said the forum was mass-publishing recycled databases from older breaches more for visibility and signaling than for monetization.
ShinyHunters announces rebooted BreachForums under new administration
ShinyHunters announced that BreachForums had been rebuilt from scratch after the prior infrastructure was allegedly hacked and its database and source code stolen from the hosting server. The rebooted forum was presented as operating under a new administrator, "X," while multiple BreachForums-branded sites remained online.
ShinyHunters claims exploits for all MyBB 1.8 versions
Alongside the leak and departure message, ShinyHunters claimed to possess exploits affecting all MyBB 1.8 versions. The statement added a technical escalation to the group's warnings around BreachForums-related infrastructure.
ShinyHunters threatens release of fuller BreachForums backups
ShinyHunters warned it could publish additional BreachForums data unless remaining forums shut down. The threatened material allegedly includes private messages, emails, IP addresses, posts, and other full-backup content.
ShinyHunters leaks database of more than 300,000 BreachForums users
At the same time as its departure announcement, ShinyHunters released an updated BreachForums database affecting more than 300,000 users. Reporting said the leak contained extensive account data, including usernames, email addresses, hashed passwords, salts, IP addresses, login metadata, and activity information.
ShinyHunters announces departure from BreachForums
ShinyHunters publicly stated that it was walking away from BreachForums, describing continued involvement in the forum ecosystem as a waste of time after the FBI action. The group also asserted that currently active BreachForums domains are fake.
FBI seizes BreachForums infrastructure
ShinyHunters said it abandoned BreachForums following an FBI seizure of the forum in October 2025. This takedown became the turning point cited for the group's departure from the platform.
BreachForums migration allegedly exposes user table and PGP keys
During an August 11, 2025 migration and recovery effort after BreachForums (.hn) was shut down under law enforcement pressure, administrators allegedly left a MySQL users table and forum PGP private keys in an unsecured temporary folder. The exposed files were reportedly downloaded externally and later became the basis for the broader BreachForums data breach disclosures.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
BreachForums, un forum désormais dans " une logique manifeste de ...
zdnet.fr
Open sourceShinyHunters Claims Rebooted BreachForums Now More Secure
bankinfosecurity.com
Open sourceShinyHunters Claims Rebooted BreachForums Now More Secure
govinfosecurity.com
Open sourceBreachForums analyzes data breach incident ("Doomsday The Story of James") - ASEC
asec.ahnlab.com
Open sourceShinyHunters marks BreachForums departure with user database leak | brief | SC Media
scworld.com
Open sourceShinyHunters Walk Away from BreachForums, Leak 300,000-User Database
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BreachForums Reboot Emerges Under Suspect Admin as 918 Stolen Databases Leak
A new **BreachForums** reboot appeared online with an administrator using the handle **"X"**, who claimed the forum had been rebuilt after its infrastructure, database, and source code were hacked from a hosting server and the prior operator **"N/A"** abandoned the project. The alleged revival was quickly disputed: **ShinyHunters** publicly denied any role in the new site and said it had not operated BreachForums since the FBI seizure in October 2025. Researchers also pointed to inconsistencies in X's account, raising doubts about whether the latest site is a legitimate successor, a copycat operation, or a setup using leaked forum data. The confusion comes amid a broader compromise tied to the BreachForums ecosystem, including the leak on Telegram of **918 databases** previously sold through the forum. Reporting said the exposed trove contains personal and sensitive data from numerous historical breaches, creating renewed opportunities for **phishing, ransomware, and espionage**. Multiple BreachForums-branded sites are now online, complicating attribution and increasing the possibility that some may be impersonation efforts, criminal competition, or potential law enforcement honeypots following repeated takedowns of major cybercrime forums.
Apr 5, 2026
BreachForums Breaches Expose User Data After MyBB Zero-Day Compromise
BreachForums suffered repeated compromises that exposed member data across multiple iterations of the cybercrime forum. An earlier breach leaked details on about **4,000 members**, while a later incident tied to the forum's reboot reportedly spilled data on roughly **325,000 users**, underscoring the scale of exposure affecting one of the most prominent underground marketplaces. Reporting on the more recent compromise said the forum was hit through a **MyBB `0-day`** affecting unpatched software, with forum administrators claiming the intrusion was also linked to a broader law-enforcement crackdown. The incident disrupted the platform, prompted leadership changes including the emergence of a new admin, and highlighted how even criminal forums remain vulnerable to the same software flaws, operational failures, and data-security lapses that they routinely exploit in others.
May 25, 2026
BreachForums Data Breach and Dark Web Data Leaks
A major data breach has exposed the entire user database of BreachForums, a prominent English-language hacking forum on the dark web. The breach was announced on the shinyhunte[.]rs platform, which published a message and made the leaked database available for download and analysis. BreachForums, which had previously replaced RaidForums after its seizure, has been a central hub for cybercriminal activity, including the distribution of stolen data and hacking tools. The forum has faced multiple shutdowns and seizures, but continued to operate under new management and through various hosting providers and domains. In addition to the BreachForums breach, recent activity on dark web forums has included the sale and sharing of data from a South Korean university and a Saudi Arabian employment platform. These incidents highlight the ongoing risks posed by data leaks and breaches on dark web marketplaces, where sensitive information is traded and discussed. Security researchers have made related indicators of compromise (IOCs) and analysis available to subscribers, emphasizing the need for vigilance among organizations whose data may be exposed in such forums.
Mar 21, 2026