In a karmic case of the metaphorical shoe being on the other foot, a forum dedicated to stealing and sharing stolen information, credentials, and content was itself hacked, and the information on its 500,000 users leaked onto the net.

The target was Nulled.io, an underground forum in which users share software cracks, content leaks, and stolen personal information and credentials. The breach resulted in the theft of 9.45 gigabytes of information, including user information, IP addresses, passwords, and payment information such as PayPal emails and costs. In short, it was a huge sum of personal information.

Ars Technica notes that private message conversations were also leaked, in which users discuss notably illegal activities such as installing keyloggers, breaking into Hotmail accounts accounts, and trading stolen Bitcoin and PayPal accounts. With over 2 million posts and 800,000 private messages, there’s a lot of incriminating evidence that can be linked to the various user accounts.

While the means of breaching the forum are currently unknown, Threat Post reports, the options are not limited; the IP.Board forum, made by Invasion Power Services, Inc., has over 100 known vulnerabilities, so the hacker had plenty of options. It seems a little ironic that a forum for and about hackers would use a forum type with so many weaknesses, but hindsight is 20-20, as the saying goes.

According to Risk Based Security, Inc.:

“When services such as Nulled.io are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names. By simply searching by email or IP addresses, it can become evident who might be behind various malicious deeds. With this being such a comprehensive dump of data, it offers up a very good set of information for matching a member ID to the attached invoices, transactions, and other content such as member messages and posts.”

Given the content in question on the forum, it’s no wonder why its members would want to keep their identities secret. In addition to tying names and faces to any number of cyber crimes, the forum members should know very well what kind of damage can be done with the information that was stolen and leaked.

Still, for a site whose tagline is “Expect the unexpected,” maybe they should have expected this.

Photo by The Preiser Project