BreachForums Chaos, Cybercrime Infighting & Zero-Day Exploits

A total of 21 breach events were found and analysed resulting in 54,011,488 exposed accounts containing a total of 33 different data types of personal datum. The breaches found publicly and freely available included ULP Alien Txt File - Episode 35, Creditlink - Brazil, Aura, ULP 0042 and Hello!Online. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

Last weeks batch spilled 33 different types of personal data across the digital floor. With appearances from ULP’s ever-growing breach saga, Brazilian credit data, and lifestyle platforms like Hello!Online, it’s clear the chaos isn’t slowing down. For third-party companies, it’s another reality check, even distant breaches can quietly drag your staff’s info into risky territory. And for individuals? More leaked data means more ways for fraudsters to worm their way in. The breaches may vary, but the threat stays on repeat.

Cyber Update

Hot on the heels of LeakBase getting the plug pulled by law enforcement, we’ve now seen BreachForums V4 go down. At this point, keeping track of versions feels less like threat intelligence and more like trying to follow the Fast & Furious franchise.

The forum’s admin, known as “N/A”, announced they were stepping away, citing personal matters and the launch of a “new venture”. A touching moment of career reflection… if you ignore the fact we’re talking about a cybercrime marketplace.

They also claimed to be looking for a new owner to take over operations, reassuring users that the moderation team would remain in place. Very corporate. Almost like a LinkedIn exit post, just with more stolen data in the background.

Naturally, things unravelled almost immediately.

Within 48 hours, a new BreachForums domain appeared, a minimalist black page with white text, outlining the admin’s supposed next chapter. Very dramatic. Very mysterious. Very “something’s not quite right here.” And indeed, it wasn’t.

Allegations quickly surfaced that N/A had effectively stitched up their own moderators, pocketing around $4,000 by pretending to sell the forum’s infrastructure (including the database) to an associate linked to a threat actor. The rumoured motive? Settling a debt owed to, you guessed it, ShinyHunters.

Nothing says “exit strategy” like allegedly scamming your own team on the way out.

The moderators, understandably unimpressed, responded with all the restraint of a petrol fire: “N/A, you have 5 days to contact us… After these 5 days, your life will end in front of hundreds of thousands of people.” Subtle.

A full dox has been threatened, and if that materialises, it won’t just be internet drama, it’s the kind of thing that tends to attract serious law enforcement attention. Public threats, personal data exposure, and a very visible paper trail rarely end well for anyone involved.

Because no cyber saga is complete without a side plot, the moderators also turned their attention to Hasan, the admin of a BreachForums spin-off. This particular offshoot has already raised eyebrows, previously featuring Nazi imagery and WWII references before quietly removing them (a rebrand, apparently). Even now, the platform retains what can only be described as… unusual energy.

The moderators accused Hasan of hijacking the BreachForums identity, dropping a statement that reads like a copyright dispute, if copyright disputes included full doxes. They allegedly published:
- A photo of Hasan’s driving licence
- Images of his home exterior
- A photo of him in what appears to be an educational setting
- Personal details about family members

At this point, we’ve moved well beyond forum politics and into full-blown digital warfare.

Despite all the chaos, accusations, and threats, BreachForums is back. Again.

The latest incarnation is now operating on a .ai domain, because nothing says cutting-edge cybercrime like borrowing a trendy TLD. Over the past month alone, the forum has bounced across at least five different domains, including .jp, .io, .ac, and now .ai. At this stage, domain-hopping isn’t a contingency plan, it’s a lifestyle.

Software Vulnerabilities

Fortinet FortiOS / FortiProxy, zero-day authentication bypass (KEV).
Fortinet appliances found themselves back in the spotlight thanks to an actively exploited authentication bypass. Attackers have been using it to waltz straight into edge devices, because apparently perimeter security now comes with optional doors.
What to do: patch immediately, check for suspicious admin logins, and assume any exposed device has been… socially visited.

Atlassian Confluence, newly exploited RCE chain (KEV update).
Confluence continues its long-standing tradition of being far too interesting to attackers. This week saw fresh exploitation activity tied to remote code execution paths, pushing it firmly back into KEV territory. If your documentation platform can execute code, attackers will treat it like a feature, not a flaw.
What to do: patch, restrict internet exposure, and review for web shell activity.

Palo Alto PAN-OS, management interface vulnerability (active exploitation).
Palo Alto issued fixes for a flaw affecting the management interface, with early signs of exploitation in the wild. Management planes are supposed to be sacred ground, unfortunately, attackers see them more like penthouse suites.
What to do: restrict access to management interfaces, apply patches, and audit for unusual configuration changes.

Progress Software (MOVEit ecosystem echoes).
Not a brand-new vulnerability, but a notable resurgence in exploitation attempts targeting organisations that never quite finished cleaning up after previous MOVEit incidents. The ghosts of unpatched systems continue to pay dividends for attackers.
What to do: if MOVEit was ever in your environment, verify patching, check for persistence, and don’t assume “we fixed that last year” still holds true.

Veeam Backup & Replication, privilege escalation flaw (KEV).
Backup systems are increasingly prime targets, and this vulnerability allows attackers to elevate privileges within Veeam environments. If your backups fall, your recovery plan becomes more of a suggestion than a strategy.
What to do: patch urgently and validate that backup repositories haven’t been tampered with.

Data & Privacy Headlines

UK and EU regulators circling AI data practices like hawks.
Regulators across Europe doubled down this week on scrutinising how AI systems are trained, particularly around personal data scraping. The message is becoming painfully clear: “publicly available” does not mean “fair game forever.” Expect enforcement to follow the rhetoric.

Data brokers quietly back in the firing line.
Privacy advocates and regulators are once again turning their attention to data brokers, those delightful middlemen who know more about you than your closest friends. Calls for tighter controls are ramping up, especially around location and behavioural data.
Takeaway: if your business model involves buying or selling data, now might be a good time to locate your compliance team.

Corporate surveillance vs employee privacy, tensions rising.
More organisations are deploying aggressive monitoring tools in the name of security (and productivity), but employees, and regulators, are starting to push back. The line between “security telemetry” and “workplace surveillance” is getting thinner by the week.

Breach fallout fatigue is setting in (but regulators aren’t tired).
While organisations are increasingly numb to breach headlines, regulators are very much awake and sharpening penalties. Enforcement actions are becoming more frequent and less forgiving, particularly where basic security controls were missing.

The rise of “privacy as a product feature” (finally).
On a slightly more optimistic note, companies are beginning to market privacy protections as a selling point rather than a compliance afterthought. It turns out users quite like not having their data sprayed across the internet, who knew?

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan