Fourth time's a charm - OGUsers hacking forum hacked again

Popular hacking forum OGUsers has been hacked for its fourth time in two years, with hackers now selling the site's database containing user records and private messages.

OGUsers is a hacking forum known for the sale of stolen social media accounts hacked through SIM-swapping attacks, credential stuffing attacks, and other means. 

More recently, OGUsers members were charged by the US Department of Justice for their role in a string of successful hacks on verified Twitter accounts used to promote a cryptocurrency scam.

OGUsers hacked earlier this month

Last week, cyberintelligence firm KELA tweeted that the OGUsers forum administrator confirmed that the site was hacked after hackers uploaded a web shell to their server.

OGUsers admin announcing April 2021 hack
Source: KeLA

At the time, the OGUsers admin was unsure if the database was compromised, but soon after, members on a competing hacking forum began selling the stolen OGUsers database for $3,000.

Forum post selling the OGUsers database

A source familiar with the attack has told BleepingComputer that OGusers was hacked on April 11th, 2021, and that the attackers gained access to a complete dump of the forum database. This dump includes the user records and private messages for approximately 350,000 OGUsers members.

BleepingComputer was told by this source that OGUsers uses many plugins that contain vulnerabilities that attackers can chain together to "shell the site."

Vitali Kremez, CEO of cybersecurity intelligence firm Advanced Intel, told us that database leaks on criminal forums could benefit law enforcement and security researchers.

"This purported OGUsers leak can potentially expose cybercriminals via their registration email accounts and IP addresses and link back to their real identities."

"Previous OGUsers leaks revealed critical clues that helped unmask cybercriminal operations especially those that are related to cryptocurrency account takeover fraud and SIM swapping operations," Kremez told BleepingComputer.

Multiple hacks in the past

This is not the first time OGUsers has been hacked and their databases sold by other hackers.

In May 2019, the OGUsers admin informed its users that they were hacked after hackers exploited a custom plugin. Brian Krebs reported that OGUsers was again hacked in November 2020.

Finally, they were also hacked in April 2020 after an attacker uploaded a web shell via the avatar upload forum feature.

Announcement for the April 2020 hack
Source: KeLA

"We believe that we will likely be seeing many OGUsers members shifting to other communities - and maybe even establishing new ones - given both the poor operational security and the damage to the OG brand among fraudsters and other criminal actors,"  Davidi Carmiel, KELA's CTO, shared with BleepingComputer.

When we asked our source in the hacker community whether they felt OGUsers would be hacked again, they responded immediately with, "Yes."