Irony Strikes As Hacking Site Hacked

John Lister's picture

A major website used by hackers to exchange stolen data has itself been hacked. The breach has exposed hundreds of thousands of user accounts.

The site called "Nulled" hosted discussion forums for users to exchange tips on how to hack into websites. It also included a section for buying and selling data such as stolen account information. Ironically, given the new development, the site had the slogan "Expect the unexpected." At the time of writing, the site was offline for "temporary unscheduled maintenance," with its database leaked onto other websites for download.

It appears that whoever attacked the site took advantage of a flaw either in the message board software or "plugins" that can be added to the software for special features such as financial transactions.

Entire Forum Database Breached

The Risk Based Security website reports that the attackers stole a 9.45 gigabyte database file that appears to be the complete database of the message board. That includes personal details such as user names, email addresses and the IP address of the computer each user connected from when they signed up. (Source:

The database also includes each user's chosen password for accessing the site, though this was stored in encrypted form. This has been described as a weak hashing encryption, meaning the attackers may well be able to decrypt the passwords, but would take some time to do so.

Also in the file is a complete copy of every post made on the site, including those in a VIP section only available to paid subscribers, along with private messages sent between users. As Risk Based Security points out, the exposure of the VIP section content means its highly unlikely anyone would ever think it worthwhile paying for access on the site again, which may destroy the site's business model.

Cybercrime Cops Will Relish Revelations

The data from the section for financial transactions does include some account details such as the email addresses used for PayPal payments, though not enough information to allow these accounts to be used without authorization.

It's likely the user registration details that will be the most serious breach for users. Law enforcement that have tried to previously track down 'hacker suspects' may be able to use the database to find proof that particular individuals have effectively admitted to illegal activity. (Source:

What's Your Opinion?

Do you have any sympathy for the users of the hacked hacking site? Can the attack be justified or do two wrongs never make a right? Were the users naive to talk about hacking in a forum that ran using vulnerable software?

Rate this article: 
Average: 4.9 (11 votes)


Dennis Faas's picture

Interesting - according to, the forum used on's website had 185 vulnerabilities so far 2016 - that's a heck of a lot of bugs. It should be noted that no software is immune to vulnerabilities, so just because this was a 'hacker' site does not mean they are invincible. As long as an exploit is accessible, then any site / machine can be hacked.

gbruce40_3626's picture

I have no sympathy for the users of the hacked hacking site, they were trying to get information to hack us.

I really think this hacking business is getting worse and will ultimately result in closing down the internet. To begin with the insane method of using passwords to sign in to legitimate websites like this one, just does not work. Some bright spark has to come up with a more secure method and those writing the code for websites have to up their abilities.

alan.cameron_4852's picture

@gbruce40_3626 Yes I agree but hope is in sight.
Check out the project SQRL
Steve Gibson has spent almost 3 years developing this with assistance from the many supporters in the news group.
The details of the project can be found by clicking in the links at the bottom of the page.