[BreachExchange] Hacking forum spills rival’s 321,000 member database

Destry Winant destry at riskbasedsecurity.com
Fri Aug 16 08:47:25 EDT 2019


When users of hacking forums turn on each other, expect things to get
messy quickly.

The latest site to find itself on the receiving end of this phenomenon
is Cracked.to which last Friday reportedly found its database of
321,000 members and 749,161 unique email addresses leaked on rival
site, RaidForums.

We can say that with confidence because by Monday the compromised
accounts had become another statistic on the Have I Been Pwned (HIBP)
breach database – the industry’s go-to for news of such incidents.

That dated the breach to 21 July, with the stolen data also including
things anyone frequenting a forum of this type would rather not be out
in the open such as “IP addresses, passwords, private messages,

As Ars Technica points out, this isn’t likely to be as serious a data
breach as it would be for a more mainstream website.

IP addresses will likely be anonymised using Tor with account email
addresses that probably won’t identify the users behind them – this is
a cagey hacking forum after all.

As for password security, according to the site’s breach warning, it
appears that months before the breach an admin at Cracked.to realised
the danger of using weak hashing:

We have changed the hashing algorithm of passwords from myBB default
(MD5) to something more advanced a few months ago, which makes it
almost impossible to decrypt your passwords.

Doxing schadenfreude

More of a problem, however, is the leaking of private messages, which
might identify at least some users.

The culprit? Apparently, an inside job carried out by an “old person
of my trust”, said a current forum admin. Naturally:

There will be consequences for the forum that is responsible for
distributing the backup and for the person that leaked it.

On the former point of revenge, they might need to join a queue. In
May, data from 112,988 users of rival forum OGusers also appeared on

Security writer Brian Krebs argued that this “comeuppance” would
probably prove to be an excellent resource for law enforcement to
trawl through for evidence of crimes and perhaps the names behind

More information about the BreachExchange mailing list