On January 9, 2026, a database belonging to BreachForums, a notorious cybercrime and hacker forum available on both clear and the “Dark Web,” was released to the public, putting over 320,000 users in the spotlight.
BreachForums, as we know it, is no stranger to drama. The platform has a history of getting seized by law enforcement authorities or vanishing and reappearing. It had become the go-to site for these activities after the police shut down its predecessor, RaidForums, back in 2022. In early April 2025, the forum suddenly disappeared without explanation.
While many suspected a police raid, Hackread.com reported at the time that the site disappeared due to a security issue rather than a seizure. By July 2025, the forum was back online.
The Leaked Database
Resecurity, which shared its research with Hackread.com, found that the leaked file contains information on 323,986 users, including their “metadata extracted from MySQL DB,” which is basically a digital footprint that could help identify the people behind the screens.
The database was published on shinyhunte.rs, a site that has previously hosted stolen datasets and is not recommended for direct access due to the risk of malicious content. The same platform has been used in the past to leak data linked to Fujifilm, GAP Inc., Vietnam Airlines, Engie Resources, Qantas Airways Limited, and Albertsons Companies, following incidents tied to a Salesforce-related compromise.
The BreachForums database was accompanied by a valid PGP signature historically associated with previous forum operators, indicating the dataset is authentic and likely originated from internal forum systems.
For your information, ShinyHunters is part of a constantly shifting alliance. You might hear names like Scattered Lapsus$ Hunters or a community called ‘The Com.’ These are not just random names; they represent a ‘supergroup’ of young hackers who have joined forces to share tools and targets.
Researchers explained in another report that they use ShinyHunters as a broad label to “illustrate the phenomenon of involving young IT professionals in questionable acts.” By highlighting this, they hope to warn other talented young people to stay away from these criminal circles.
Hackread.com also independently reviewed the leaked dataset and found that, in addition to general profile metadata, it contains user display names, email addresses, Argon2i password hashes, and links to external accounts such as Telegram. While the passwords are not stored in plaintext, the combination of these data points may still carry identification and attribution risks for affected users.
Response from BreachForums
A BreachForums administrator using the alias N/A responded to reports of a database leak by claiming the exposed data originated from an old incident in August 2025, during a forum restoration process following the .hn domain takedown. According to the administrator, the users table and the forum’s PGP key were briefly stored in an unsecured directory and downloaded once during that period.
The admin stressed that the incident did not involve server compromise, database access, or exploitation, and described current claims of an active breach as false. They added that passwords in the dataset were stored as Argon2i hashes, IP addresses were largely truncated, and remaining fields consisted of publicly visible information. The forum said all sessions were revoked at the time, and restoration procedures have since been secured.
The “James” Message Circulating With the Leak
Alongside the leaked database, a lengthy manifesto signed by an individual calling himself “James” was also published on shinyhunte.rs. The text contained dramatic claims, threats, and references to multiple cybercrime figures and groups, presented in a highly theatrical and ideological tone.
There is no independent verification of the claims made in the message, and such manifestos are commonly used within underground forums to provoke attention, spread disinformation, or confuse attribution. The appearance of the text does not confirm the identity of the author or the individuals named and should be treated as unverified rhetoric rather than factual disclosure.
Why This Leak Matters
As we know it, it is very rare for criminal organisations to be exposed so thoroughly. This incident shows that even the most malicious groups can be vulnerable to the same failures they exploit in others.
Researchers noted that exposure of criminal infrastructure can have a broader defensive impact than typical corporate breaches, as it may disrupt illicit networks and deter future recruitment. By sharing the database for independent analysis, researchers hope to break the cycle of cybercrime and discourage future involvement in such communities.