[DATABASE LEAK] Max Messenger

DarkMAX · 15-01-26, 02:15 AM

Drain the database, you will be more donated by ordinary citizens than the government
#NoMax

aeroboss13 · 15-01-26, 02:18 AM

Ловит даже на парковке?

DarkMAX · (This post was last modified: 15-01-26, 02:19 AM by DarkMAX.)

(15-01-26, 02:18 AM)aeroboss13 Wrote: Ловит даже на парковке?

и защищает данные даже на парковке

(15-01-26, 02:19 AM)DarkMAX Wrote:
(15-01-26, 02:18 AM)aeroboss13 Wrote: Ловит даже на парковке?

и защищает данные даже на парковке

Phoen1xBur · 15-01-26, 02:28 AM

За что боролись, на то и напоролись

dan5karate · 15-01-26, 02:33 AM

(14-01-26, 04:13 AM)CamelliaBtw Wrote: Exactly one year ago, on March 26, 2025, Max Messenger was launched with loud promises of "unrivaled security" and a "new era of privacy." They claimed to be the "Telegram Killer." Today, that era ends before it even truly began.
It took us exactly 12 months to dismantle the security layers they spent years building. As of this morning, we have successfully exfiltrated the entire production database. The "unbreakable" has been broken.
Leaked Data Specifications (Total Volume: 142 GB Compressed):
User Profiles: 15.4 million records containing Full Names, Usernames, and verified Phone Numbers.

Auth Tokens & Keys: Valid session tokens that allow account hijacking bypassing 2FA, along with Bcrypt password hashes.

The Metadata Archive: Full communication logs (timestamps, sender/receiver IDs) since the launch day in March 2025.

Infrastructure Access: Internal SSH keys, API documentation, and AWS S3 bucket configurations containing unencrypted media assets.

Backend Source Code: The "proprietary" encryption module, including several hardcoded backdoors we discovered.

Technical Overview: The breach was executed via a critical 0-day RCE (Remote Code Execution) vulnerability within the messenger’s media processing engine. By injecting a malformed payload into a sticker pack metadata file, we gained persistent access. We discovered that this vulnerability existed since the beta phase in early 2025 and was never patched.
The Ultimatum: The developers have been notified, but their silence is deafening. We have already verified the accounts of several high-profile politicians and corporate executives who joined the platform during its "security hype" last year.
If a "bug bounty" is not negotiated within the next 24 hours, the first 5 gigabytes of raw SQL data will be mirrored across 10+ public torrent trackers.
Happy Anniversary, Max Messenger. Privacy is a myth.

thats funny

Isteeerikaaa · 15-01-26, 02:46 AM

(15-01-26, 01:59 AM)Isteeerikaaa Wrote: Will you publish the obtained data in the public domain?

(15-01-26, 02:28 AM)Phoen1xBur Wrote: За что боролись, на то и напоролись

Оооо вижу русских людей❤️

value · 15-01-26, 02:55 AM

Хорошая работа! В самом деле, я же не просто так налоги платил на которые клепали приложение. Надеюсь увижу, как и что у них было внутри.

notgi · 15-01-26, 02:57 AM

would mad max use max? xD few more hours to go till the deadline (or a war in iran, for that matter)

Mayonezzik · 15-01-26, 03:10 AM

Do all accounts have a username? After all, there is no way for regular accounts to set up a username in Max yet.

pu1seanon · 15-01-26, 03:20 AM

This looks a lot like a fake. The data doesn't match the API at all; it's just a collection of info from various leaks.