A threat actor has published a database dump from PicBackMan, a popular online image and video backup service, on a monitored hacker forum. Confirmed by Brinztech threat intelligence on 16 April 2026, the Tier 2 exposure event compromises the platform's core user authentication architecture, behavioral metadata, and credential storage fields, creating immediate account takeover risk for the service's global user base.

What Happened

Brinztech analysts identified a database dump posted to a hacker forum containing PicBackMan's backend user management records. The leaked schema reveals deep compromise of the SaaS platform's authentication subsystem, including credential storage tables, user activity counters, and device telemetry. The presence of legacy credential fields in the dump indicates long-standing weaknesses in the platform's secure development lifecycle, with the leaked data appearing to span the active user base of the cloud backup service.

What Was Taken

The exposed dataset includes a comprehensive user authentication and behavioral profile for each affected account:

• Authentication and access metadata: user login IDs, verified email addresses, password hashes (hashedPwd), and corresponding cryptographic salts.
• Critical credential indicators: dedicated old_password and password fields, suggesting either insecure credential storage or plaintext logging vulnerabilities.
• Behavioral and device context: precise upload counters (picUploadCount, vidUploadCount), device types, operating systems, and connected platform metadata identifying which third-party services users had linked to their backup accounts.

Why It Matters

The combination of email addresses, password hashes, salts, and potential plaintext legacy passwords delivers an off-the-shelf credential stuffing toolkit to any threat actor who acquires the dump. Because PicBackMan customers entrust the service with their personal photo and video archives, account takeover translates directly into exposure of intimate, irreplaceable digital assets. The presence of old_password columns also signals systemic weaknesses likely to attract follow-on probing of the broader backend.

The Attack Technique

The initial intrusion vector has not been publicly disclosed. The schema shape, however, points to a server-side database compromise rather than a client-side or credential-replay attack: full tables containing salts and historical password fields are typically obtainable only through SQL injection, exposed admin interfaces, misconfigured backups, or compromised infrastructure credentials. The fact that legacy plaintext-style columns persist in production storage indicates the attacker likely accessed the live database or a recent unprotected backup snapshot.

What Organizations Should Do

1. Force a global password reset for all PicBackMan accounts and invalidate active sessions, API tokens, and linked third-party OAuth grants.
2. Audit the backend for password and old_password columns across all tables, purge plaintext credential storage, and migrate all hashes to a modern memory-hard algorithm such as Argon2id with per-user salts.
3. Enforce mandatory multi-factor authentication for all user accounts and privileged administrative access to the backup infrastructure.
4. Monitor identity providers and breach-monitoring feeds for credential stuffing waves targeting reused PicBackMan passwords, particularly against banking, email, and cloud storage services.
5. Issue clear customer notifications warning of targeted phishing using leaked behavioral details (upload counts, device types) and provide an authoritative channel for support communications.
6. Engage external DFIR support to scope the intrusion timeline, identify the initial access vector, and confirm whether any media files or payment data were also accessed.

Sources: Brinztech Alert: PicBackMan Cloud Backup Database Leak