ShinyHunters Leaks 300,000 BreachForums User Records After Exiting Forum
ShinyHunters said it has abandoned BreachForums and released an updated database affecting more than 300,000 users of the cybercrime marketplace. Reports say the leak goes beyond basic credentials and includes full account profile and activity data, including usernames, email addresses, hashed passwords, salts, IP addresses, login metadata, and forum activity timestamps.
The group said maintaining the forum ecosystem became a "waste of time" after the FBI seizure of BreachForums and claimed that all currently active BreachForums domains are fake. ShinyHunters also threatened to publish fuller backups — including private messages, posts, and additional user data — unless the remaining forums shut down, while asserting it holds exploits for all MyBB 1.8 versions; the identity of the operators behind current BreachForums instances remains unclear, with speculation ranging from opportunistic criminals to possible law enforcement honeypots.
Timeline
Apr 30, 2026
French report says BreachForums shifted to retaliatory targeting of French organizations
A French Interior Ministry cybercrime report said BreachForums had recently increased claims involving French organizations in an apparent retaliatory posture toward French authorities. The report also said the forum was mass-publishing recycled databases from older breaches more for visibility and signaling than for monetization.
Apr 3, 2026
ShinyHunters announces rebooted BreachForums under new administration
ShinyHunters announced that BreachForums had been rebuilt from scratch after the prior infrastructure was allegedly hacked and its database and source code stolen from the hosting server. The rebooted forum was presented as operating under a new administrator, "X," while multiple BreachForums-branded sites remained online.
Mar 27, 2026
ShinyHunters claims exploits for all MyBB 1.8 versions
Alongside the leak and departure message, ShinyHunters claimed to possess exploits affecting all MyBB 1.8 versions. The statement added a technical escalation to the group's warnings around BreachForums-related infrastructure.
Mar 27, 2026
ShinyHunters threatens release of fuller BreachForums backups
ShinyHunters warned it could publish additional BreachForums data unless remaining forums shut down. The threatened material allegedly includes private messages, emails, IP addresses, posts, and other full-backup content.
Mar 27, 2026
ShinyHunters leaks database of more than 300,000 BreachForums users
At the same time as its departure announcement, ShinyHunters released an updated BreachForums database affecting more than 300,000 users. Reporting said the leak contained extensive account data, including usernames, email addresses, hashed passwords, salts, IP addresses, login metadata, and activity information.
Mar 27, 2026
ShinyHunters announces departure from BreachForums
ShinyHunters publicly stated that it was walking away from BreachForums, describing continued involvement in the forum ecosystem as a waste of time after the FBI action. The group also asserted that currently active BreachForums domains are fake.
Oct 1, 2025
FBI seizes BreachForums infrastructure
ShinyHunters said it abandoned BreachForums following an FBI seizure of the forum in October 2025. This takedown became the turning point cited for the group's departure from the platform.
Aug 11, 2025
BreachForums migration allegedly exposes user table and PGP keys
During an August 11, 2025 migration and recovery effort after BreachForums (.hn) was shut down under law enforcement pressure, administrators allegedly left a MySQL users table and forum PGP private keys in an unsecured temporary folder. The exposed files were reportedly downloaded externally and later became the basis for the broader BreachForums data breach disclosures.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like hackread
Related Stories
BreachForums Reboot Emerges Under Suspect Admin as 918 Stolen Databases Leak
A new **BreachForums** reboot appeared online with an administrator using the handle **"X"**, who claimed the forum had been rebuilt after its infrastructure, database, and source code were hacked from a hosting server and the prior operator **"N/A"** abandoned the project. The alleged revival was quickly disputed: **ShinyHunters** publicly denied any role in the new site and said it had not operated BreachForums since the FBI seizure in October 2025. Researchers also pointed to inconsistencies in X's account, raising doubts about whether the latest site is a legitimate successor, a copycat operation, or a setup using leaked forum data. The confusion comes amid a broader compromise tied to the BreachForums ecosystem, including the leak on Telegram of **918 databases** previously sold through the forum. Reporting said the exposed trove contains personal and sensitive data from numerous historical breaches, creating renewed opportunities for **phishing, ransomware, and espionage**. Multiple BreachForums-branded sites are now online, complicating attribution and increasing the possibility that some may be impersonation efforts, criminal competition, or potential law enforcement honeypots following repeated takedowns of major cybercrime forums.
4 weeks ago
BreachForums Data Breach and Dark Web Data Leaks
A major data breach has exposed the entire user database of BreachForums, a prominent English-language hacking forum on the dark web. The breach was announced on the shinyhunte[.]rs platform, which published a message and made the leaked database available for download and analysis. BreachForums, which had previously replaced RaidForums after its seizure, has been a central hub for cybercriminal activity, including the distribution of stolen data and hacking tools. The forum has faced multiple shutdowns and seizures, but continued to operate under new management and through various hosting providers and domains. In addition to the BreachForums breach, recent activity on dark web forums has included the sale and sharing of data from a South Korean university and a Saudi Arabian employment platform. These incidents highlight the ongoing risks posed by data leaks and breaches on dark web marketplaces, where sensitive information is traded and discussed. Security researchers have made related indicators of compromise (IOCs) and analysis available to subscribers, emphasizing the need for vigilance among organizations whose data may be exposed in such forums.
1 months ago
Law Enforcement Seizure of BreachForums Used for Salesforce Extortion
U.S. and French law enforcement agencies, including the FBI and France’s BL2C cybercrime unit, have seized the primary domains of BreachForums, a notorious hacking forum operated by the ShinyHunters group. The forum, previously known for facilitating cybercriminal activity, had recently shifted its focus from a traditional discussion platform to a dedicated leak and extortion portal. This portal was being used to publish and threaten the release of data stolen from Salesforce and its corporate customers as part of an ongoing extortion campaign. High-profile companies such as Qantas, Disney, McDonald’s, and UPS were among the reported victims of this campaign, which relied heavily on social engineering tactics to compromise Salesforce accounts. The seizure notice, now displayed on the forum’s clearnet domain, features the logos of U.S. and French authorities, signaling the international cooperation behind the takedown. Despite the seizure of the clearnet site, the group’s onion (dark web) domain remains operational, continuing to threaten the release of stolen data. ShinyHunters, under the new moniker Scattered Lapsus$ Hunters, confirmed the loss of their infrastructure in a PGP-signed statement, acknowledging that all their domains and backend servers had been taken by law enforcement. They also admitted that database archives and escrow data dating back to 2023 are now under FBI control, effectively compromising years of criminal records and transactions. The group stated that no core administrators had been arrested, but they would not attempt to relaunch BreachForums, warning that such forums are now likely to be law enforcement honeypots. The seizure was timed to prevent the public release of sensitive Salesforce customer data, which the group had threatened to leak at a specified deadline. Law enforcement’s action represents a significant disruption to the infrastructure supporting ransomware and extortion operations targeting major corporations. The operation also highlights the ongoing evolution of cybercriminal tactics, as forums transition from discussion boards to direct extortion platforms. Despite the takedown, the threat actors insist that their Salesforce campaign remains unaffected, and their dark web leak site continues to list affected companies. The incident underscores the persistent threat posed by groups like ShinyHunters and the challenges faced by law enforcement in fully dismantling their operations. The seizure of BreachForums is the latest in a series of law enforcement actions targeting cybercrime forums, following previous takedowns such as RaidForums. The event demonstrates the importance of international collaboration in combating cyber-enabled extortion and data theft. Organizations affected by the Salesforce campaign are advised to monitor for potential data leaks and strengthen their security posture against social engineering attacks. The broader cybersecurity community is watching closely to see if the disruption of BreachForums will have a lasting impact on the underground economy or simply drive activity further underground.
1 months ago