[DATABASE LEAK] Max Messenger

deffi1q0 · 15-01-26, 03:14 PM

Абманули и надули! Базы никакой не слито. Но трясочка неплохая)

turborigby · 15-01-26, 04:14 PM

збс база с фейк данными, но в РФ испугались) молодцы, пугать умеете

CamelliaBtw · 15-01-26, 08:24 PM

Yet, who can truly say? Perhaps the lie was mine to tell, or perhaps it was woven by MAX support. But what if this is merely the haunting silence before the storm?

fundvapor · 15-01-26, 08:26 PM

thnaks

domingo · 15-01-26, 09:01 PM

(15-01-26, 08:24 PM)CamelliaBtw Wrote:
Yet, who can truly say? Perhaps the lie was mine to tell, or perhaps it was woven by MAX support. But what if this is merely the haunting silence before the storm?

Feels like watching a TV-show with writers chaotically changing every episode while having strong visions about the main plot of their own. See-saw saga!

fundvapor · 16-01-26, 12:06 PM

thanks

elbekhalilov12 · 16-01-26, 04:10 PM

(14-01-26, 04:13 AM)CamelliaBtw Wrote: Exactly one year ago, on March 26, 2025, Max Messenger was launched with loud promises of "unrivaled security" and a "new era of privacy." They claimed to be the "Telegram Killer." Today, that era ends before it even truly began.
It took us exactly 12 months to dismantle the security layers they spent years building. As of this morning, we have successfully exfiltrated the entire production database. The "unbreakable" has been broken.
Leaked Data Specifications (Total Volume: 142 GB Compressed):
User Profiles: 15.4 million records containing Full Names, Usernames, and verified Phone Numbers.

Auth Tokens & Keys: Valid session tokens that allow account hijacking bypassing 2FA, along with Bcrypt password hashes.

The Metadata Archive: Full communication logs (timestamps, sender/receiver IDs) since the launch day in March 2025.

Infrastructure Access: Internal SSH keys, API documentation, and AWS S3 bucket configurations containing unencrypted media assets.

Backend Source Code: The "proprietary" encryption module, including several hardcoded backdoors we discovered.

Technical Overview: The breach was executed via a critical 0-day RCE (Remote Code Execution) vulnerability within the messenger’s media processing engine. By injecting a malformed payload into a sticker pack metadata file, we gained persistent access. We discovered that this vulnerability existed since the beta phase in early 2025 and was never patched.
The Ultimatum: The developers have been notified, but their silence is deafening. We have already verified the accounts of several high-profile politicians and corporate executives who joined the platform during its "security hype" last year.
If a "bug bounty" is not negotiated within the next 24 hours, the first 5 gigabytes of raw SQL data will be mirrored across 10+ public torrent trackers.
Happy Anniversary, Max Messenger. Privacy is a myth.
That was a great job, I admire it.

bugle · 16-01-26, 04:28 PM

(14-01-26, 04:13 AM)CamelliaBtw Wrote: Exactly one year ago, on March 26, 2025, Max Messenger was launched with loud promises of "unrivaled security" and a "new era of privacy." They claimed to be the "Telegram Killer." Today, that era ends before it even truly began.
It took us exactly 12 months to dismantle the security layers they spent years building. As of this morning, we have successfully exfiltrated the entire production database. The "unbreakable" has been broken.
Leaked Data Specifications (Total Volume: 142 GB Compressed):
User Profiles: 15.4 million records containing Full Names, Usernames, and verified Phone Numbers.

Auth Tokens & Keys: Valid session tokens that allow account hijacking bypassing 2FA, along with Bcrypt password hashes.

The Metadata Archive: Full communication logs (timestamps, sender/receiver IDs) since the launch day in March 2025.

Infrastructure Access: Internal SSH keys, API documentation, and AWS S3 bucket configurations containing unencrypted media assets.

Backend Source Code: The "proprietary" encryption module, including several hardcoded backdoors we discovered.

Technical Overview: The breach was executed via a critical 0-day RCE (Remote Code Execution) vulnerability within the messenger’s media processing engine. By injecting a malformed payload into a sticker pack metadata file, we gained persistent access. We discovered that this vulnerability existed since the beta phase in early 2025 and was never patched.
The Ultimatum: The developers have been notified, but their silence is deafening. We have already verified the accounts of several high-profile politicians and corporate executives who joined the platform during its "security hype" last year.
If a "bug bounty" is not negotiated within the next 24 hours, the first 5 gigabytes of raw SQL data will be mirrored across 10+ public torrent trackers.
Happy Anniversary, Max Messenger. Privacy is a myth.

thk