Hackers’ forum hacked, OGUsers database dumped (again)

A rival hacking forum has yet again hacked OGUsers – the second time in a year – and yet again doxxed its database for one and all to grab, fast on the heels of the attack.

OGUsers is a forum devoted to trading stolen Instagram, Twitter and other accounts, with a special place in its dark heart for hackers who like to trade SIM swappers’ stolen phone numbers and Bitcoin accounts.

An announcement of this second attack was first spotted by data breach monitoring service Under the Breach: the same service that recently noticed that data belonging to nearly every citizen of the country of Georgia had been posted on a hackers forum.

On Thursday, Under the Breach tweeted a screengrab of a notice posted that day by OGUsers’ admin, who goes by the username Ace. In that post, Ace claimed that a hacker successfully pulled off the breach by uploading a shell to the avatar uploading feature.

Within a few hours, a rival forum dumped OGUsers’ database of about 200,000 user records, Under the Breach reported early Friday morning. Those users’ passwords apparently weren’t encrypted, given Under the Breach’s claim that over half of them had already been converted to plaintext as of the time the service posted:

Well that was quick, rival forum already dumped the OGusers database for everyone to grab!

200,551 records, of which 126,431 already had their passwords cracked to plaintext!

It all reeks of déjà vu, down to the “this happens to all sites” and “this will never happen again” spiel that Ace copy-pasted from their hackers-hacking-hackers announcement of May 2019.

You must realize other sites such as Twitter, Facebook, Dropbox, Forums you have used in the past, and many more have been breached at least once. People are targeting the site 365 days a year. Again, I am deeply sorry this occurred and I will do my best to make sure it never happens again.

Make that “It will never happen again, until it does.” Here’s what led to Ace making that same claim 11 months ago:

Hackers hacked Numero Uno

Ace announced in May 2019 that an outage had been caused by hard drive failure that erased months’ worth of private forum posts and prestige points. The OGUsers admin said that they’d restored a backup from January 2019. It later turned out that the outage coincided with the theft of the forum’s user database and the erasure of its hard drives.

Four days after Ace’s 2019 announcement, the administrator of a rival hacking community, RaidForums, announced that they’d uploaded OGUsers’ database. Come and get it, the admin taunted, raising an eyebrow at OGUsers’ use of the vulnerability-vexxed MD5 hashing function.

OGUsers background

As Motherboard has reported, OGUsers – called OGU by its members – is a forum popular among hackers who specialize in hijacking people’s accounts, particularly through SIM swapping.

Launched in April 2017, the forum is a market for buying and selling “OG” usernames. That’s short for “original gangster” and refers to usernames that are considered desirable, whether it’s because they’re short – such as @t or @ty – or because they’re considered cool, such as @Sex or @Eternity, or then again, because they belong to celebrities, such as, say, the Twitter accounts of Wikipedia co-founder Jimmy Wales, comedian Sarah Silverman, or NASA, to name just a few.

According to Motherboard, OGUsers have traded in hijacked social media accounts, as well as in PlayStation Network, Steam, Domino’s Pizza, and other online accounts.

Hackers hacked Numero Dos

It’s surprising that OGUsers managed to amass over 200,000 users in the months following its first hacking, given that users left the sinking ship in droves the first time.

Be that as it may, in the Thursday post, Ace said that the site had forced a password change for all users. Ace also recommended that users – made up, presumably, of mostly SIM swapping/account hijacking crooks – turn on two-factor authentication (2FA) to protect themselves.

2FA is always a fine idea. That’s true, even though we’d love it were law enforcement to benefit from criminals’ crappy infosec to track them down.

This being a “here we go again” story, here we go again when we point out that we can’t be too tickled about crooks kicking each other’s shins off. Malware is a scourge that Sophos battles all the time, so we can’t applaud too loudly, even when, say, a Nigerian scammer infects himself.

And like we said when we reported about hackers hacking hackers – if hackers can be hacked, then so can you, if you aren’t careful.

If a website gives you the option to turn on two-factor authentication (2FA or MFA), do it. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:


(Audio player above not working? Download MP3 or listen on Soundcloud.)