[DATABASE LEAK] Max Messenger

CamelliaBtw · 14-01-26, 04:13 AM

Exactly one year ago, on March 26, 2025, Max Messenger was launched with loud promises of "unrivaled security" and a "new era of privacy." They claimed to be the "Telegram Killer." Today, that era ends before it even truly began.
It took us exactly 12 months to dismantle the security layers they spent years building. As of this morning, we have successfully exfiltrated the entire production database. The "unbreakable" has been broken.
Leaked Data Specifications (Total Volume: 142 GB Compressed):

User Profiles: 15.4 million records containing Full Names, Usernames, and verified Phone Numbers.
Auth Tokens & Keys: Valid session tokens that allow account hijacking bypassing 2FA, along with Bcrypt password hashes.
The Metadata Archive: Full communication logs (timestamps, sender/receiver IDs) since the launch day in March 2025.
Infrastructure Access: Internal SSH keys, API documentation, and AWS S3 bucket configurations containing unencrypted media assets.
Backend Source Code: The "proprietary" encryption module, including several hardcoded backdoors we discovered.

Technical Overview: The breach was executed via a critical 0-day RCE (Remote Code Execution) vulnerability within the messenger’s media processing engine. By injecting a malformed payload into a sticker pack metadata file, we gained persistent access. We discovered that this vulnerability existed since the beta phase in early 2025 and was never patched.
The Ultimatum: The developers have been notified, but their silence is deafening. We have already verified the accounts of several high-profile politicians and corporate executives who joined the platform during its "security hype" last year.
If a "bug bounty" is not negotiated within the next 24 hours, the first 5 gigabytes of raw SQL data will be mirrored across 10+ public torrent trackers.
Happy Anniversary, Max Messenger. Privacy is a myth.

fbichan

Net_Warden · 14-01-26, 06:29 PM

Oh, I just installed the Max messenger.

CamelliaBtw · 14-01-26, 07:23 PM

Oh, that's funny btw

[
{
"user_id": "MX-GOV-BRYKIN-001",
"username": "n_brykin_official",
"full_name": "Брыкин Николай Гаврилович",
"account_tier": "Government",
"registration_date": "2025-03-26T08:00:15Z",
"phone": "+79252824849",
"auth_session": {
"session_token": "ehehehehe",
"hardware_key_status": "Bypassed_RCE",
"recovery_email": "Ngbrykin@mail.ru"
},
"pii_vault_data": {
"birth_date": "25.11.1959",
"inn": "772901884793",
"snils": "143-403-928 36",
"registered_address": "г. Москва, Мичуринский проспект, 29",
"passport_current": "4521*272"
},
"metadata": {
"device_model": "iPhone 17 Pro",
"os_version": "iOS 26.0.1",
"last_ip": "213.24.76.112",
"location_approx": "Moscow (Duma district)",
"carrier": "MegaFon VIP"
},
"messenger_data": {
"active_folders": [
{"folder_id": "F-DUMA", "name": "Госдума VIII", "chat_count": 28},
{"folder_id": "F-SEC", "name": "Комитет по безопасности", "chat_count": 14}
],
"groups_membership": [
"GOV-DUMA-MAIN",
"SECURITY-COMMITTEE-2026",
"TYUMEN-OFFICIAL-GROUP"
],
"cloud_vault_usage": "14.2GB / Encrypted_Dump_Success"
},
"privacy_settings": {
"show_phone_number": "nobody",
"hidden_profile": true,
}
}
]

shinano · 14-01-26, 09:52 PM

any sample or just words in da air? pepelmao

ChiefOfficial · 14-01-26, 10:14 PM

I'm waiting, bro!

IIIAMnUHb · 15-01-26, 01:28 AM

I like that shit! So when you leak first 5GB?

gaychikdroid · 15-01-26, 01:36 AM

(14-01-26, 07:23 PM)CamelliaBtw Wrote: Oh, that's funny btw

[
{
"user_id": "MX-GOV-BRYKIN-001",
"username": "n_brykin_official",
"full_name": "Брыкин Николай Гаврилович",
"account_tier": "Government",
"registration_date": "2025-03-26T08:00:15Z",
"phone": "+79252824849",
"auth_session": {
"session_token": "ehehehehe",
"hardware_key_status": "Bypassed_RCE",
"recovery_email": "Ngbrykin@mail.ru"
},
"pii_vault_data": {
"birth_date": "25.11.1959",
"inn": "772901884793",
"snils": "143-403-928 36",
"registered_address": "г. Москва, Мичуринский проспект, 29",
"passport_current": "4521*272"
},
"metadata": {
"device_model": "iPhone 17 Pro",
"os_version": "iOS 26.0.1",
"last_ip": "213.24.76.112",
"location_approx": "Moscow (Duma district)",
"carrier": "MegaFon VIP"
},
"messenger_data": {
"active_folders": [
{"folder_id": "F-DUMA", "name": "Госдума VIII", "chat_count": 28},
{"folder_id": "F-SEC", "name": "Комитет по безопасности", "chat_count": 14}
],
"groups_membership": [
"GOV-DUMA-MAIN",
"SECURITY-COMMITTEE-2026",
"TYUMEN-OFFICIAL-GROUP"
],
"cloud_vault_usage": "14.2GB / Encrypted_Dump_Success"
},
"privacy_settings": {
"show_phone_number": "nobody",
"hidden_profile": true,
}
}
]

lol, give us a proper sample, not just a single line that might not even be related to this leak CringeHarold

kamsky · 15-01-26, 01:37 AM

Somnitelno tbh but okay

Isteeerikaaa · 15-01-26, 01:59 AM

Will you publish the obtained data in the public domain?

tenzoranalise · 15-01-26, 02:08 AM

(14-01-26, 04:13 AM)CamelliaBtw Wrote: Exactly one year ago, on March 26, 2025, Max Messenger was launched with loud promises of "unrivaled security" and a "new era of privacy." They claimed to be the "Telegram Killer." Today, that era ends before it even truly began.
It took us exactly 12 months to dismantle the security layers they spent years building. As of this morning, we have successfully exfiltrated the entire production database. The "unbreakable" has been broken.
Leaked Data Specifications (Total Volume: 142 GB Compressed):
User Profiles: 15.4 million records containing Full Names, Usernames, and verified Phone Numbers.

Auth Tokens & Keys: Valid session tokens that allow account hijacking bypassing 2FA, along with Bcrypt password hashes.

The Metadata Archive: Full communication logs (timestamps, sender/receiver IDs) since the launch day in March 2025.

Infrastructure Access: Internal SSH keys, API documentation, and AWS S3 bucket configurations containing unencrypted media assets.

Backend Source Code: The "proprietary" encryption module, including several hardcoded backdoors we discovered.

Technical Overview: The breach was executed via a critical 0-day RCE (Remote Code Execution) vulnerability within the messenger’s media processing engine. By injecting a malformed payload into a sticker pack metadata file, we gained persistent access. We discovered that this vulnerability existed since the beta phase in early 2025 and was never patched.
The Ultimatum: The developers have been notified, but their silence is deafening. We have already verified the accounts of several high-profile politicians and corporate executives who joined the platform during its "security hype" last year.
If a "bug bounty" is not negotiated within the next 24 hours, the first 5 gigabytes of raw SQL data will be mirrored across 10+ public torrent trackers.
Happy Anniversary, Max Messenger. Privacy is a myth.