Sensitive Information Exposed Through Doxbin Data Leak

On January 5, 2022, Cyble Research Lab discovered a Threat Actor (TA) who posted data on a cybercrime forum. Doxbin is a website used for leaking Personally Identifiable Information (PII), or “dox,” of any person of interest. The level of information gathered on a target varies from individual to individual. During our analysis of the data, we saw some DOX containing plain text passwords – a few had details such as name, email, location, occupation, etc.

Figure 1 shows the post by the TA on the cybercrime forum.

Figure 1: Post by TA on the forum

The TA claims that the data was initially posted on the Telegram channel of Doxbin. Upon further investigation, we found that TA named breachbase, also known as white, bought Doxbin for $75K. Still, after 2-3 months of acquisition, he sold it back to its previous owners kt & Brenton, and, along with that, leaked the doxbin data.

Figure 2 displays the Doxbin site.

Figure 2: Doxbin official site

The site recently started operating. As a result, a data leak notice was posted highlighting the incident exposing data of Doxbin users. Figure 2 showcases the recent data leak notice. The released statement pointed out that the leaked information refers to the Doxbin users accessing the site during the white/breachbase ownership. The leak includes information as follows:

  • Account email addresses
  • Bcrypt hashed passwords
  • Blacklist information
  • 2FA secret codes
  • Plaintext passwords
Figure 3: Recent Data Leak Notice on Doxbin site

After breachbase acquired the site, it’s suspected that the TA started logging data of Doxbin users like IP and plain text passwords. The leaked data contains information on individuals who doxed and those who got doxed.

Leaked data contains the following information:

  • Name
  • Email
  • Contact Number
  • Profession
  • Family member Details
  • Age
  • Geo Location
  • IP address
  • Address
  • Aliases-Social media Handles
  • Gender
  • Date of Birth
  • Plain text passwords
  • Stealer Logs
  • National Identity Number
  • Chats

This leak has impacted the general population and the Threat Actors (TAs). In addition, we found a few doxed TAs whose PII was revealed on Doxbin. For example, figure 4 showcases the alleged PII of Omnipotent, the admin of a cybercrime forum RaidForums.

Figure 4: RaidForums admin details

Figure 5 shows the alleged details of TA named pompompurin, one of the TA’s with a high reputation score on RaidForums.

Figure 5: TA pompompurin details

Figures 6-9 contain sensitive records of a single Individual, and the data format is similar for other records.

Figure 6: Personal Information, Social Media Accounts
Figure 7: IP Details
Figure 8: Family Members and House Information
Figure 9: Chats

Figure 10 shows a Social Security Number.

Figure 10: Social Security Number

Figure 11 displays the details of the Doxbin users. The first record, ‘kt,’ belongs to the first owner of Doxbin.

Figure 11: Doxbin Users

Figure 12 shows the stealer logs. It appears that the victim was infected with a mercurial grabber.

Figure 12: Stealer Logs

The leaked data contains over 700K email addresses. Figure 12 displays the tentative count for the top 10 email domains exposed.

DomainNumber of leaked Emails
Table 1: Top 10 domains impacted in leak


This leak has revealed a lot of sensitive information, and anyone can access it as data is freely available. Though there are details of individuals whose identities were doxed, the leak also contains details of individuals who doxed others. This leak can have impacts such as:

  • Doxed information also includes work related details of an individual which might be exploited to carry to out phishing attacks.
  • The leak includes login details and plain text passwords of some victims and Threat Actors can try to compromise those accounts.
  • We might witness malicious activities such as identity theft emerging from this leak.

Our Recommendations

Following some essential cybersecurity best practices create the first line of control against attackers. We recommend our readers follow the best practices as given below:  

  • ​Impacted individuals must reset their passwords.
  • Verify links received from untrusted sources before clicking them as TAs might attempt phishing.
  • Check your email accounts and other exposed accounts for compromise.
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Conduct regular backup practices and keep those backups offline or in a separate network.
See Cyble Vision in Action

Comments are closed.

Scroll to Top