Friday, 28 July 2023 14:58

BreachForums finds themselves the Victim of a Data Breach and Data Leak

Written by

Reading time is around minutes.

Using a famous idiom, it looks like the shoe is on the other foot as BreachForums has found themselves the victim of a data breach and release of data. The breach took place in November of 2022 and culminated with the arrest of one of the owners of the forum. The responsible parties were able to attack and exfiltrate data from the site including user information, IP addresses and internal messages sent between users and the forum.

The arrest of 20-year-old Conor Brian Fitzpatrick (Pompompurin) occurred in March of 2023 and ended with him pleading guilty to Cybercrime and possession of Child Pornography. The co-owner, known as Baphomet, feared that the breach of the forum and quick arrest indicated that the servers themselves might be compromised by law enforcement and shut the original site down. He then launched a new one with a different co-owner in June of 2023. However, the damage had been done.

The data from the database of the original Breachforums is now p for sale on the darker side of the internet. The attacker(s) are currently going by the name breached_db_person. The name looks like a table name to me, but it also seems like this is a temporary alias. The data base has been shared with Have I been Pwned and is also up for sale on the new BreachForums.

Baphomet is indicating that the differences between the listed number of users in the leaked DB and his last back up of the original BreachForums seem to indicate that the DB leaked is an older one. Which coincides with what the seller is saying (the leaked DB is from November 2022). That being said the leaked DB still contains information on 212,000 BreachForum users which is a lot of data to sort through. Law enforcement also appears to have a copy of this version of the data from when they seized the servers back in late 2022.

That being said the information is still a valuable commodity. Since the data being offered also contains private messages and the IP addresses that users connected from there is a lot that researchers could use to their benefit. Other threat actors might also be interested in this information, but considering there is payment information contained in the leaked data they might find other more financially motived things to tinker with. Some of the payment information even includes Payment IDs and crypto addresses.

The information is pay of the old forums payment system which allows Forum members to buy membership packages and credits (ah creds…) which is a forum of site-specific currency. A similar currency was and perhaps still is) used on some of the larger piracy top sites. There people could earn them by performing specific tasks (like posting newly pirated or cracked material) or purchasing them. Credits then allowed them access to other materials that someone else posted or access to better areas of the top site. It is likely that this a similar system was used here.

It cannot be stressed that although this is an older database, it has a ton of information that is of value to many people. The FBI already has it so that leaves the commercial and cybercrime markets sell in. breached_db-person has indicated that they are only going to sell it to a single entity and for $100,000 to $150,000. This is only what the person in possession of the forum is asking, there is a high likelihood that it will eventually sell for much more than that. Internal fighting in the threat actor community seems to be increasing as other forums, including the new BreachForums have been attacked and had their data leaked. It is an interesting time to be alive.

Read 1686 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.