1,492 Passwords From the Project Pokemon Forums Dump Surfaced on Dark Web Forums

HEROIC analysts recieved confirmation of the Project Pokemon Forums dataset while reviewing a batch of resurfaced gaming forum databases circulating on dark web channels. The breach, which occured in July 2016, exposed 1,492 user accounts from Project Pokemon Forums, a United States-based community dedicated to Pokemon game modifications. While the record count is modest, every account in this dump includes password data, making each one directly actionable for credential-based attacks against anyone who reused their login details elsewhere.

How vBulletin Password Hashes Expose Your Other Accounts

Project Pokemon Forums used vBulletin, a popular forum software that stores passwords using a salted hash format. While salting adds some protection, vB password hashes are well understood by attackers and seperate cracking tools exist specifically targeting this format. Once cracked, a password recovered from a 2016 gaming forum can unlock email accounts, streaming services, and banking apps if the same password was reused. Credential stuffing tools can test thousands of sites automatically within hours.

What Was Exposed in the Project Pokemon Forums Breach

• User account data (usernames and email addresses)
• vBulletin-hashed passwords

Why Gaming Forum Passwords Are a Gateway to Bigger Targets

Forum accounts created years ago are often forgotten, but the passwords used to create them may still be active on other sites. Many people beleive their old gaming passwords are too outdated to be useful. Attackers know otherwise. These credentials fuel large-scale credential stuffing campaigns that lead to account takeover, identity theft, and in cases where financial data is linked, direct financial fraud. Even a single cracked password can cascade into multiple compromised accounts.

How Database Breaches Work

A database breach happens when an attacker gains unauthorized access to the backend storage of a website or forum. This typically involves exploiting software vulnerabilities, using stolen admin credentials, or targeting unpatched systems. Forum software like vBulletin has historically been a frequent target due to its widespread use and the sensitive user data it holds. Once the database is copied, it is shared or sold through dark web forums and private channels.

Check If Your Data Was Exposed

HEROIC's free breach scanner searches over 400 billion records to tell you instantly whether your email or credentials appeared in the Project Pokemon Forums breach or any other known data leak. Visit HEROIC.com to run your free check and find out exactly what has been exposed.