A year after the U.S. Department of Justice seized the notorious cybercrime forum, a database containing the details of nearly half a million RaidForums users has leaked online.
The leaked database was posted on the Exposed forum, which security researchers describe as an emerging forum "hoping to fill the void left by the recent closure of BreachForums.
"ODN" visited this latest data breach forum, which was also built using the MyBB program and looks similar to RaidForums and BreachForums. The forum's announcement stated that a dark web mirror site for Exposed Forums would be launched soon.
From RaidForums to BreachForums and finally to Exposed Forums
Launched in 2015, RaidForums was once a popular platform that grew into one of the world's largest hacking forums. Cybercriminals mainly use it to buy and sell stolen databases. This includes more than a million passwords for the cryptocurrency wallet service Gatehub, as well as millions of stolen T-Mobile customer accounts. The hacking forum was also reportedly used by the Lapsus$ hacker group.
The U.S. Department of Justice announced that it had seized RaidForums' website and infrastructure in April 2022 as part of an international law enforcement operation, and the administrator of RaidForums, known as "Omnipotent," and two of his associates were also arrested. Prosecutors said hundreds of databases containing stolen data of more than 10 billion personal records were sold before the forum was seized.
After RaidForums was destroyed, the hacking community gathered to continue their illegal activities in a new forum called BreachForums, which served the same purpose and audience. However, the FBI arrested the founder of BreachForums, "Pompompurin," in March 2023. A few days after "Pompompurin's" arrest, the forum's co-administrator "Baphomet" announced they have permanently shut down the forum, fearing that law enforcement might have access to BreachForums' servers.
To fill the gap left by BreachForums, a new hacking forum called Exposed was recently launched and quickly gained popularity.
Exposed forum administrator "Impotent" leaks database of RaidForums users
On May 29, 2023, Exposed forum administrator "Impotent" made public the RaidForums membership database, which includes the details of 478,000 users, including their usernames, email addresses, hashed passwords, and registration dates. This data is now available for use by other threat actors, researchers, and law enforcement.
In addition, they have posted this information as an announcement on their website.
The leaked data is already available for download, including an SQL file containing RaidForums member registration information. The data originates from the "mybb_users" table in the software program (MyBB) used by the RaidForums forum to store details such as user names, email addresses, hashed passwords, registration dates, and other relevant forum-related information.
The leaked data table contains information on 478,870 RaidForums members who registered between March 20, 2015, and September 24, 2020, indicating that the database was dumped during this period.
"All users on raidforums may have been compromised," the administrator of the Exposed forum said in the post. RaidForums had about 550,000 users when it shut down last year.
The administrator added that the details of some RaidForums users had been removed from the database, but it was not clear how many or the reason behind it.
The fact that a large number of accounts in the database contained known registration information supports the authenticity of the leaked table. some members of Exposed forums also confirmed the presence of their information in that MySQL data table.
The exposed data may have been in the hands of law enforcement after RaidForums was seized by U.S. authorities, but the data is still valuable to security researchers. They often use such information to build profiles of threat participants and potentially uncover links to other malicious activity.
Hacker groups are buzzing that the Exposed forum could be a honeypot for the FBI
There is a heated discussion in multiple hacker groups in Telegram in response to the RaidForums data breach.
From RaidForums to BreachForums, all are built based on the PHP forum program MyBB. Some hackers wonder if there is an undisclosed 0day vulnerability in MyBB or its plugins, and say that if it exists, Exposed forum may be the next one to be censored.
There are also multiple hackers who suspect that the Exposed forum is most likely an FBI honeypot because the FBI has the database.