Cyber Security Threat Summary:
While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data has been shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

Back in November of 2022, the hacking forum BreachForums was itself breached by threat actors. A year later the operator of the website was arrested and the site was seized by law enforcement agencies. The breach has apparently exposed 212,000 records including usernames, IP and email addresses, private messages between site members, and passwords.

Breached was a popular hacking and data leak tool for criminals, often posting information related to hosting, leaking, and selling data stolen from hacked companies, governments, and organizations worldwide. After the FBI arrested the site's admin Pompompurin in March 2023, the remaining administrator, Baphomet, decided to shut the forum down after believing that law enforcement also had access to the site's servers. Baphomet later launched a new Breached Forums clone (called BFv2) with another data breach seller known as Shiny Hunters.

Security Officer Comments:
A user going by the name “breached_db_person” has shared the leaked database with Have I Been Pwned to prove it’s authenticity and to promote the sale to potential buyers. Previous Breached admin Baphomet has also confirmed the authenticity of the database, warning that its sale is part of a "continued campaign attempting to destroy the community. Not only was the database submitted to HIBP, but it's being actively sold/leaked by at least one person - even attempting to do so on our forum," warned Baphomet.

Baphomet warned that the data will eventually be listed publicly. He says that the listing of 212,000 users means the data is likely from an older database before BFv2 was released, noting that his latest backup had data from around 336,000 users.

The seller says they are selling the Breached database to only one person for $100,000 - $150,000 and that it contains a snapshot of the entire database taken on November 29th, 2022.

While the FBI likely already has access to information from the database from when they seized the servers, the data will still be valuable for cybersecurity researchers and potentially to other threat actors. According to Bleeping Computer, The seller says that the private message tables have a lot of incriminating information about forum members and that the 'members' database contains IP addresses showing that many threat actors don't follow good operational security by using residential IP addresses. These private messages could reveal information surrounding past attacks, identities, and other useful information.

Suggested Correction(s):
“Breached and its members have been responsible for a wide range of hacks, extortion attempts, ransomware attacks, and the leaking of stolen data for many companies. These breaches include DC Health Link, Twitter, RobinHood, Acer, Activision, and many more” (Bleeping Computer, 2023). The seller says that have received various offers for the data already, saying one buyer is offering $250,000.

While we may never know if the database was sold, or to how many buyers, researchers believe the entire database will likely be leaked for free in the future. It is common for data breaches to first be purchased privately and then released later to increase reputation among the data theft community.

Link(s):
https://www.bleepingcomputer.com/