On March 15, 2023 US law enforcement arrested a man from New York who was accused of being the administrator of BreachForums, a well-known and probably the largest Dark Web marketplace for stolen data to be leaked and sold.
At first, a new administrator rose to the occasion and said they were working on a plan to get the forum through the problems caused by that arrest. But on Tuesday March 21, 2023 this new administrator announced the decision to shut BreachForums down.
BreachForums was set up by the arrested administrator working under the handle “Pompompurin” after the FBI seized RaidForums in 2022. On his arrest, 21-year-old Conor Brian Fitzpatrick allegedly confessed he used the alias Pompompurin and that he was the owner and administrator of BreachForums. Fitzpatrick has been charged with a single count of conspiracy to commit access device fraud.
Since Pompompurin not only headed up BreachForums but has also allegedly been involved in some major breaches himself, more charges may follow. For example, Pompompurin was linked to the 2022 breach of the FBI’s InfraGard network and he took credit for sending out thousands of fake emails about a cybercrime investigation by abusing a flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP).
Another forum administrator going by the account name “Baphomet” said they were working through an emergency plan for the forum after the arrest of Fitzpatrick. After taking ownership of the forum Baphomet announced an impending migration to a new infrastructure.
But after Baphomet noticed someone logged in on one of the old servers after the arrest of Fitzpatrick, they said they had serious misgivings about the forums being compromised. The server, which was left unchanged, should only be accessible from Fitzpatrick’s machine.
A statement signed by Baphomet says:
"Any servers we use are never shared with anyone else, so someone would have to know the credentials to that server to be able to login. I now feel like I'm put into a position where nothing can be assumed safe, whether it’s our configs, source code, or information about our users the list is endless. This means that I can't confirm the forum is safe, which has been a major goal from the start of this sh*tshow."
There is unfortunately absolutely no reason to assume that your stolen data is now suddenly safe. There are plenty of other forums, and Baphomet talked about plans to revive BreachForums with the help of competitor forum admins and various service operators. Besides that, we have already noticed a shift from the use of forums to Telegram channels that serve the same illicit purposes.
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.