4chan has been hacked

[videogamesm12]

4chan, the imageboard that was once a firm pillar of the old wild west age of the internet where some of the wildest memes, protests, and raids have originated, has been hacked by users of a spin-off known as soyjak.party (which originated from a now-deleted board on 4chan known as /qa/). They managed to gain access to specific boards, internal panels intended for staff members, the names and email addresses of all staff members, and even the complete source code of the imageboard software itself.

Some of the screenshots that have been spread throughout social media platforms like Twitter​

The attacker began posting screenshots of internal panels and the elusive /j/ board (intended for staff communication) Monday night at around 10 PM EST on the aforementioned spin-off board, bragging about having the keys to the kingdom. Within minutes they they promptly recreated the /qa/ board, vandalized a couple of other boards with text like "/QA/ FUCKING WON", and leaked a small piece of the site's source code. Judging from the replies by users witnessing the shenanigans, the response was one of excitement and enthusiasm. Then, the bombshell dropped: a list of staff usernames, email addresses, and ranks. Some had .edu email addresses, but a narrative soon sprouted that certain staff members had .gov email addresses, which is not true. After a lot of speculation and some apparent downtime, the attacker dropped a 7z file containing the source code of the imageboard software that powers the site along with some allegedly pretty chilling details about how out of date and vulnerable the site really was.

4chan was apparently running a version of FreeBSD that was originally released in 2014, had reached its end of life date in 2016, and appears to have been last dicked around with at the base level in 2019. That's right, FreeBSD 10.1. Supposedly, that wasn't even the worst part of it. It's been alleged that some of the code in the software is vulnerable to an attack of sorts related to PHP and a lack of upload validation. I could not verify this part myself as I'm going off the memory of reading a post I saw several hours ago that was alleged to come from the attacker, but it wouldn't be surprising if it turns out to be true.

Most media outlets reporting on this are painting this as some act of vigilantism or try to imply that there are some forms of politics to be taken note of, but this is more of a "son clubbing the absolute fuck out of his father for pissing him off" scenario as the entire point of the hack wasn't for political gain. It was, like many hacks of the early internet, intended to get some good laughs out of causing a shitload of chaos and brag about bringing what was once a titan to its knees.

The future of 4chan itself is uncertain. For years the site's reputation has pretty severely disintegrated as it went from basically the "anything goes" website that could singlehandedly bring companies and other organizations to their knees if executed correctly to the face of complete political retardation to just a dumping ground for video game source code leaks. Most of the more unhinged and crazy individuals that were around on the site which gave it the reputation it earned moved on to greener pastures or stuck around only to seek refuge in other communities. Some are speculating that this could permanently kill the site while others are more optimistic about the site's future but still temper their expectations by noting that it'll take weeks for things to return to any form of normalcy.

 

[fleshly]

4chan inadvertently causing its own downfall by helping to create a website that's more terminally online than itself lmfao

 

[zrfv]

4chan inadvertently causing its own downfall by helping to create a website that's more terminally online than itself lmfao

Quite ironic indeed An ironic victory for /QA/!

 

[videogamesm12]

After a little more than a week, 4chan has come back online and the vandalism has been reverted. On the site's blog, they have detailed an outline of what exactly happened, what they have done to fix it, and what was done before the hack to try to mitigate the glaring security issues that ultimately proved to be too little too late. Despite this, the blog post itself seems to paint a cautious, optimistic vision for the future of the site.

Still Standing​

On the afternoon of April 14th, a hacker using a UK IP address exploited an out-of-date software package on one of 4chan’s servers, via a bogus PDF upload. With this entry point, they were eventually able to gain access to one of 4chan’s servers, including database access and access to our own administrative dashboard. The hacker spent several hours exfiltrating database tables and much of 4chan’s source code. When they had finished downloading what they wanted, they began to vandalize 4chan at which point moderators became aware and 4chan’s servers were halted, preventing further access.

Over the following days, 4chan’s development team surveyed the damage, which to be frank, was catastrophic. While not all of our servers were breached, the most important one was, and it was due to simply not updating old operating systems and code in a timely fashion. Ultimately this problem was caused by having insufficient skilled man-hours available to update our code and infrastructure, and being starved of money for years by advertisers, payment providers, and service providers who had succumbed to external pressure campaigns.

We had begun a process of speccing new servers in late 2023. As many have suspected, until that time 4chan had been running on a set of servers purchased second-hand by moot a few weeks before his final Q&A, as prior to then we simply were not in a financial position to consider such a large purchase. Advertisers and payment providers willing to work with 4chan are rare, and are quickly pressured by activists into cancelling their services. Putting together the money for new equipment took nearly a decade.

In April of 2024 we had agreed on specs and began looking for possible suppliers. Money is always tight for us, and few companies were willing to sell us servers, so actually buying the hardware wasn’t a trivial problem. We managed to finalize a purchase in June, and had the new servers racked and online in July. Over the next few months we slowly moved functionality onto the new servers, but we had still been relying on the old servers for key functions. Everything about this process took much longer than intended, which is a recurring theme in this debacle. The free time that 4chan’s development team had available to dedicate to 4chan was insufficient to update our software and infrastructure fast enough, and our luck ran out.

However, we have not been idle during our nearly two weeks of downtime. The server that was breached has been replaced, with the operating system and code updated to the latest versions. PDF uploads have been temporarily disabled on those boards that supported them, but they will be back in the near future. One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files. We are bringing on additional volunteer developers to help keep up with the workload, and our team of volunteer janitors & moderators remains united despite the grievous violations some have suffered to their personal privacy.

4chan is back. No other website can replace it, or this community. No matter how hard it is, we are not giving up.

While users of soyjak.party have been celebrating their victory, allegedly they too weren't immune from security issues. A sector of their site which is wholly dedicated to hosting and archiving soyjak images of all kinds was apparently vandalized and subsequently shut down, though this seems to have had very little effect on the rest of the site if true. There appears to be a sort of clash between the imageboard cultures as I'm seeing some back and forth about retaliatory attacks on both sites.